A new and malicious strain of ransomware called Bad Rabbit, began spreading this past Tuesday October 24th, with most of the reported infections seen in Russia. However, because the Bad Rabbit virus is self-propagating, and can spread across corporate networks, international organizations should remain particularly vigilant.
A small number of infection attempts have been logged in Ukraine as well. CERT-UA, the Ukrainian Computer Emergency Response Team, said there had been a “massive distribution” of Bad Rabbit in the country. An earlier bulletin from the agency said the Odessa airport and Kiev subway had been affected by a cyber attack but didn’t specify if Bad Rabbit had been involved. It has since been confirmed that Bad Rabbit was, in fact, the culprit.
First Russia, Then Ukraine, Now the US: US Department of Homeland Security Issues Warning
Early Wednesday morning, leading anti-virus security company, Avast, reported that the Bad Rabbit virus had made its way to the US. Though specific breach details are difficult to come by, the US Department of Homeland Security (DHS) issued a warning about Bad Rabbit yesterday stating:
“US-CERT has received multiple reports of Bad Rabbit ransomware infections in many countries around the world. This suspected variant of Petya ransomware is malicious software that infects a computer and restricts user access to the infected machine until a ransom is paid to unlock it. US-CERT discourages individuals and organizations from paying the ransom, as this does not guarantee that access will be restored. Using unpatched and unsupported software may increase the risk of proliferation of cybersecurity threats, such as ransomware.”
DHS urged individuals and businesses to take notice and be vigilant in the face of this latest malware attack. To combat the threat, DHS is urging IT professionals to review US-CERT Alerts TA16-181A and TA17-132A, each of which describes recent ransomware events.
While cybercriminals can often be hard to track and prosecute, DHS is urging professionals to recognize the importance of making explicit reports in the case of an attack. The organization asked any potential victims of Bad Rabbit to report ransomware incidents to the Internet Crime Complaint Center (IC3) immediately.
Remember the Petya Virus Back in June? Bad Rabbit is Similar and Just as Malicious
Bad Rabbit has many similarities to the Petya virus outbreak of June 2017. Both malware families use a similar style of ransom demand and employ a self-spreading mechanism. Both threats also contain a component that targets the master boot record (MBR) of an infected computer, which overwrites the existing MBR.
However, while Petya uses the EternalBlue exploit to spread in addition to classic SMB network spreading techniques, Bad Rabbit doesn’t use EternalBlue and only employs the latter technique. Secondly, Petya was technically a wiper rather than ransomware, since there was no way of retrieving a decryption key. Our analysis of Bad Rabbit confirms that it is not a wiper and encrypted data is recoverable if the key is known.
One of the most notable aspects of Bad Rabbit is its use of at least three third-party open-source tools. Aside from Mimikatz, Bad Rabbit also uses the open-source encryption tool DiskCryptor to perform encryption. It also uses drivers from ReactOS, an open-source alternative to Windows, thus reducing the amount of detectable suspicious activity on an infected computer.
Breaking Down the Bad Rabbit: How Does the Malware Invade Business Networks
The initial infection takes hold of networks through drive-by downloads on compromised websites. The malware is disguised as a fake update to Adobe Flash Player, designed specifically to dupe victims into infecting their machines. The download originates from a domain named 1dnscontrol[dot]com, although visitors may have been redirected there from another compromised domain.
Once installed onto a victim’s computer, Bad Rabbit attempts to spread itself across their network via SMB (Server Message Block). In order to obtain the necessary credentials, Bad Rabbit comes packaged with a version of Mimikatz, a hacking tool capable of changing privileges and recovering Windows passwords in plaintext. The malware also uses a hardcoded list of commonly used default credentials to attempt to guess passwords for even easier access.
Once the Bad Rabbit gains access, the virus works swiftly to encrypt the contents of a computer and asks for a payment of 0.05 bitcoins, or about $280 (£213), according to recent reports. Even worse? Once the ransom demand has been made, a countdown begins flashing on the screen, urging victims to pay up before the clock runs out. If payment isn’t made before the clock-out, the ransom amount just gets higher.
However, take note of this word to the wise: victims are strongly encouraged not to pay ransom demands. Why not? For one, there is absolutely no guarantee that the payment will restore data access. Secondly, much like the refusal to negotiate with terrorists, refusing to pay the ransom discourages criminals from using similar attacks in the future. If victims don’t pay, cybercriminals will realize their attempts at robbery won’t pay off.
Endangered Data: Understanding How Bad Rabbit Deploys Encryption
Once it is installed, Bad Rabbit will search for and encrypt machine data. Bad Rabbit takes no prisoners once the invasion is complete and all files bearing the following extensions are up for grabs:
.3ds .7z .accdb .ai .asm .asp .aspx .avhd .back .bak .bmp .brw .c .cab .cc .cer .cfg .conf .cpp .crt .cs .ctl .cxx .dbf .der .dib .disk .djvu .doc .docx .dwg .eml .fdb .gz .h .hdd .hpp .hxx .iso .java .jfif .jpe .jpeg .jpg .js .kdbx .key .mail .mdb .msg .nrg .odc .odf .odg .odi .odm .odp .ods .odt .ora .ost .ova .ovf .p12 .p7b .p7c .pdf .pem .pfx .php .pmf .png .ppt .pptx .ps1 .pst .pvi .py .pyc .pyw .qcow .qcow2 .rar .rb .rtf .scm .sln .sql .tar .tib .tif .tiff .vb .vbox .vbs .vcb .vdi .vfd .vhd .vhdx .vmc .vmdk .vmsd .vmtm .vmx .vsdx .vsv .work .xls .xlsx .xml .xvd .zip
Unlike most ransomware infections, the encrypted files aren’t given a special extension. Instead, to check if they have been already processed, the ransomware appends a special marker at the end of an encrypted file, a Unicode “encrypted” string.
Once individual files are encrypted, Bad Rabbit will then perform a full disk encryption. After the system is restarted, a ransom note is displayed, demanding bitcoin payment for decryption.
Symantec’s Swift Response: Protections in Place for Symantec Users
Symantec customers can breathe a sigh of relief knowing that they are indeed protected against Bad Rabbit activity. Symantec has a variety of anti-virus, advanced machine learning, behavior detection, network protection and data security tools in place to keep users safe. For full details, check out the list of Symantec protection updates below:
- SONAR behavior detection technology Updates
- Advanced Machine Learning Updates
- Network Protection Products
- Malware Analysis Appliance detects activity associated with BadRabbit
- Customers with Webpulse-enabled products are protected against activity associated with Bad Rabbit
- Data Center Security Products
Staying Vigilant, Aware and Prepared: Staying Tuned in Is the Best Defence Against Cyber Infections
Business organizations are particularly vulnerable to threats like Bad Rabbit because of the infection mechanism they deploy. Once one computer on a network becomes infected, Bad Rabbit will attempt to copy itself to other computers on the network, which could potentially do serious damage to poorly secured networks.
As news around Bad Rabbit continues to develop, US business professionals should be on high alert – working deliberately to monitor and protect their business networks and implement security measures like those outlined by Symantec above. Be wary of Adobe Flash download prompts. Talk to other business professionals to spread the word.
If you’re worried you’ve been affected or could be affected, reach out to a local cybersecurity expert for guidance and consultation. When professionals band together proactively, cybercriminals can and will be stopped in their tracks. Until then, stay alert, stay vigilant and stay tuned for more Symantec updates.