A new and malicious strain of ransomware called Bad Rabbit, began spreading this past Tuesday October 24th, with most of the reported infections seen in Russia. However, because the Bad Rabbit virus is self-propagating, and can spread across corporate networks, international organizations should remain particularly vigilant.
A small number of infection attempts have been logged in Ukraine as well. CERT-UA, the Ukrainian Computer Emergency Response Team, said there had been a “massive distribution” of Bad Rabbit in the country. An earlier bulletin from the agency said the Odessa airport and Kiev subway had been affected by a cyber attack but didn’t specify if Bad Rabbit had been involved. It has since been confirmed that Bad Rabbit was, in fact, the culprit.
First Russia, Then Ukraine, Now the US: US Department of Homeland Security Issues Warning
Early Wednesday morning, leading anti-virus security company, Avast, reported that the Bad Rabbit virus had made its way to the US. Though specific breach details are difficult to come by, the US Department of Homeland Security (DHS) issued a warning about Bad Rabbit yesterday stating:
“US-CERT has received multiple reports of Bad Rabbit ransomware infections in many countries around the world. This suspected variant of Petya ransomware is malicious software that infects a computer and restricts user access to the infected machine until a ransom is paid to unlock it. US-CERT discourages individuals and organizations from paying the ransom, as this does not guarantee that access will be restored. Using unpatched and unsupported software may increase the risk of proliferation of cybersecurity threats, such as ransomware.”
DHS urged individuals and businesses to take notice and be vigilant in the face of this latest malware attack. To combat the threat, DHS is urging IT professionals to review US-CERT Alerts TA16-181A and TA17-132A, each of which describes recent ransomware events.
While cybercriminals can often be hard to track and prosecute, DHS is urging professionals to recognize the importance of making explicit reports in the case of an attack. The organization asked any potential victims of Bad Rabbit to report ransomware incidents to the Internet Crime Complaint Center (IC3) immediately.
Bad Rabbit has many similarities to the Petya virus outbreak of June 2017. Both malware families use a similar style of ransom demand and employ a self-spreading mechanism. Both threats also contain a component that targets the master boot record (MBR) of an infected computer, which overwrites the existing MBR.
However, while Petya uses the EternalBlue exploit to spread in addition to classic SMB network spreading techniques, Bad Rabbit doesn’t use EternalBlue and only employs the latter technique. Secondly, Petya was technically a wiper rather than ransomware, since there was no way of retrieving a decryption key. Our analysis of Bad Rabbit confirms that it is not a wiper and encrypted data is recoverable if the key is known.
One of the most notable aspects of Bad Rabbit is its use of at least three third-party open-source tools. Aside from Mimikatz, Bad Rabbit also uses the open-source encryption tool DiskCryptor to perform encryption. It also uses drivers from ReactOS, an open-source alternative to Windows, thus reducing the amount of detectable suspicious activity on an infected computer.
Breaking Down the Bad Rabbit: How Does the Malware Invade Business Networks
The initial infection takes hold of networks through drive-by downloads on compromised websites. The malware is disguised as a fake update to Adobe Flash Player, designed specifically to dupe victims into infecting their machines. The download originates from a domain named 1dnscontrol[dot]com, although visitors may have been redirected there from another compromised domain.
Once installed onto a victim’s computer, Bad Rabbit attempts to spread itself across their network via SMB (Server Message Block). In order to obtain the necessary credentials, Bad Rabbit comes packaged with a version of Mimikatz, a hacking tool capable of changing privileges and recovering Windows passwords in plaintext. The malware also uses a hardcoded list of commonly used default credentials to attempt to guess passwords for even easier access.
Once the Bad Rabbit gains access, the virus works swiftly to encrypt the contents of a computer and asks for a payment of 0.05 bitcoins, or about $280 (£213), according to recent reports. Even worse? Once the ransom demand has been made, a countdown begins flashing on the screen, urging victims to pay up before the clock runs out. If payment isn’t made before the clock-out, the ransom amount just gets higher.
However, take note of this word to the wise: victims are strongly encouraged not to pay ransom demands. Why not? For one, there is absolutely no guarantee that the payment will restore data access. Secondly, much like the refusal to negotiate with terrorists, refusing to pay the ransom discourages criminals from using similar attacks in the future. If victims don’t pay, cybercriminals will realize their attempts at robbery won’t pay off.
Once it is installed, Bad Rabbit will search for and encrypt machine data. Bad Rabbit takes no prisoners once the invasion is complete and all files bearing the following extensions are up for grabs:
.3ds .7z .accdb .ai .asm .asp .aspx .avhd .back .bak .bmp .brw .c .cab .cc .cer .cfg .conf .cpp .crt .cs .ctl .cxx .dbf .der .dib .disk .djvu .doc .docx .dwg .eml .fdb .gz .h .hdd .hpp .hxx .iso .java .jfif .jpe .jpeg .jpg .js .kdbx .key .mail .mdb .msg .nrg .odc .odf .odg .odi .odm .odp .ods .odt .ora .ost .ova .ovf .p12 .p7b .p7c .pdf .pem .pfx .php .pmf .png .ppt .pptx .ps1 .pst .pvi .py .pyc .pyw .qcow .qcow2 .rar .rb .rtf .scm .sln .sql .tar .tib .tif .tiff .vb .vbox .vbs .vcb .vdi .vfd .vhd .vhdx .vmc .vmdk .vmsd .vmtm .vmx .vsdx .vsv .work .xls .xlsx .xml .xvd .zip
Unlike most ransomware infections, the encrypted files aren’t given a special extension. Instead, to check if they have been already processed, the ransomware appends a special marker at the end of an encrypted file, a Unicode “encrypted” string.
Once individual files are encrypted, Bad Rabbit will then perform a full disk encryption. After the system is restarted, a ransom note is displayed, demanding bitcoin payment for decryption.
Symantec’s Swift Response: Protections in Place for Symantec Users
Symantec customers can breathe a sigh of relief knowing that they are indeed protected against Bad Rabbit activity. Symantec has a variety of anti-virus, advanced machine learning, behavior detection, network protection and data security tools in place to keep users safe. For full details, check out the list of Symantec protection updates below:
Staying Vigilant, Aware and Prepared: Staying Tuned in Is the Best Defence Against Cyber Infections
Business organizations are particularly vulnerable to threats like Bad Rabbit because of the infection mechanism they deploy. Once one computer on a network becomes infected, Bad Rabbit will attempt to copy itself to other computers on the network, which could potentially do serious damage to poorly secured networks.
As news around Bad Rabbit continues to develop, US business professionals should be on high alert – working deliberately to monitor and protect their business networks and implement security measures like those outlined by Symantec above. Be wary of Adobe Flash download prompts. Talk to other business professionals to spread the word.
If you’re worried you’ve been affected or could be affected, reach out to a local cybersecurity expert for guidance and consultation. When professionals band together proactively, cybercriminals can and will be stopped in their tracks. Until then, stay alert, stay vigilant and stay tuned for more Symantec updates.
The three sectors with the biggest spending on cybersecurity are banking, manufacturing, and the central/federal government, accounting for 30% of overall spending (IDC).
It takes an average of 287 days for security teams to identify and contain a data breach, according to the “Cost of a Data Breach 2021” report released by IBM and Ponemon Institute.
The internal team was energized. With the Level 1 work off its plate, the team turned its attention to the work that fueled company growth and gave them job satisfaction.
The cost of cybercrime is predicted to hit $10.5 trillion by 2025, according to the latest version of the Cisco/Cybersecurity Ventures “2022 Cybersecurity Almanac.”.
The average cost of a data breach in the United States is $8.64 million, which is the highest in the world, while the most expensive sector for data breach costs is the healthcare industry, with an average of $7.13 million (IBM).
More than 33 billion records will be stolen by cybercriminals by 2023, an increase of 175% from 2018.
Forty-three percent of attacks are aimed at SMBs, but only 14% are prepared to defend themselves (Accenture).
40% of businesses will incorporate the anywhere operations model to accommodate the physical and digital experiences of both customers and employees (Techvera).
We did a proof of concept that met every requirement that our customer might have. In fact, we saw a substantial improvement.
We did everything that we needed to do, financially speaking. We got our invoices out to customers, we deposited checks, all the things we needed to do to keep our business running, and our customers had no idea about the tragedy. It didn’t impact them at all.
“We believe our success is due to the strength of our team, the breadth of our services, our flexibility in responding to clients, and our focus on strategic support.”