On Tuesday, October 24th, “Bad Rabbit,” the latest ransomware worm started in Russia and Ukraine spread to the Middle East, Asia, other parts of Europe and the United States. So, what is this new virus spreading like wildfire and how are IT professionals planning on tackling the ransomware?
Bad Rabbit is a ransomware distribution that has a similar source code to NonPetya. It will encrypt your files and prompt you for some monetary payment to receive an un-encryption password to get your files back. This particular variant looks to prompt for bit coin typically in the range of .05 - $286. The infection was first found on some Russian-language news sites. One of these news sites looks to have been actively infecting visitors, even while it ran a report on the infection. The site then suggests the user update adobe flash.
If the user then clicks on the install, the ransomware is installed on the computer. Then, the ransomware begins encrypting files. MalwareBytes blogged that due to similarities in code, this looks to be the same authors of Petya and NotPetya. The difference is that this kernel, or the bones behind all of this, yields a much more advanced disk crypter, a free and open-source encryption system from Microsoft. This crypter masks itself as a legitimate driver. The malicious software also replaces the MBR (Master Boot Record), thus, causing each user to have to buy two keys to un-encrypt and access their system. This variant can spread laterally across networks via WMI without follow-on user interaction. This variant also appears to specifically target corporate networks.
So, how do you prevent this attack from happening?
According to this article, most antivirus programs will detect and stop Bad Rabbit. However, it’s important to note a few things about this claim. The antivirus programs that were used to test are not identified (except Windows Defender). I can guarantee you that these antiviruses tested were up to date and activated. In other words, if you’re running an AVG, Norton, Malwarebytes, Avast, etc. antivirus that is out of date, and the subscription has expired, there’s a much higher chance that your program would not stop an infection like this. Our best recommendation is to make sure you have a legitimate antivirus installed on your devices; ensure it’s activated (this does not mean specifically a paid version, but if you have a paid version, make sure the subscription is active); and confirm it’s up to date and scans frequently. Watch where you’re clicking. If anything appears off about where you’re browsing or what you’re seeing, get out immediately and initiate a scan of your computer.
If you are a business owner, tech consultant, or cybersecurity consultant for a business, put your cyber awareness program into play, verifying your users are trained on what they should look out for with Bad Rabbit. Only trust sites that you know. With regards to web browsing, when in doubt, CLOSE IT OUT! Don’t take the chance. It has been proven that if you block the execution of the files “C:\windows\infpub.dat” and “C:\Windows\cscc.dat” it can prevent infection. Also, to prevent lateral spread through the network, disable the WMI service if it’s not required in your network, and double check your password policy or run a scan for weak passwords. The program uses a list of weak common passwords to brute force the network to try to spread.
How can you vaccinate?
System restore, reformat the drive or get an incident response team in to attempt to clean the infection. What’s important to note is that bad actors are charging less to un-encrypt files so that users find it more cost effective just to pay rather than pay more to have someone clean it. However, some things to be concerned about is that if you pay it, and you get the files back, it doesn’t remove bad actors or anything they installed on your system. This means that they are just as likely, if not more likely, to do this again. More commonly now, ransomware bad actors are releasing users’ files if they call and complain (Hey, at least they have good customer service, right?). The same concerns still apply. There’s also no telling what information they were able to extract from your computer while it was infected. Getting your computer cleaned is still the best option, even though it may cost you more.