Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

10/25/2017
05:45 PM
Curtis Franklin
Curtis Franklin
Curt Franklin
50%
50%

Bad Rabbit Breeds Ransomware Fears

A new breed of ransomware has hit Russia and Eastern Europe. Bad Rabbit could hop the Atlantic and wreak havoc on North American systems.

Ransomware is back in the news and this time it's not WannaCry, not Petya, not NotPetya... it's Bad Rabbit and it looks to be a very naughty bunny, indeed.

Bad Rabbit was first seen on October 24 by security firms, including Eset and Kaspersky. Kaspersky researcher Alex Perekalin wrote an early description of the malware noting that it initially enters an organization via a bogus Flash downloader that pops up and requests a manual install.

As with the earlier ransomware outbreaks of 2017, Bad Rabbit gains entry to a network through a single system then begins to spread horizontally by looking for login credentials stored on the original victim's computer. It should be noted that the malware delivery software has a list of the most common passwords, so if you know of systems in your organization that make use of these security chestnuts, now is a good time to remind users to update to the latest style of strong password for their accounts.

Bad Rabbit uses WMI (Windows Management Instrumentation) and Service Control Manager Remote Protocol to spread laterally, then uses the hard-coded list of passwords in conjunction with Mimikatz, an open source credential extraction tool, to breach the new systems.

Trend Micro is one of the companies that has identified Bad Rabbit as a Petya variant. While some researchers question how much of the code is actually taken from Petya, there seems little question that the two are philosophically related.

The hacker or hackers behind Bad Rabbit aren't going after vast sums of money from any infected individual. So far, the ransomware demands payment of 0.05 bitcoin into a Bitcoin wallet located at a Tor address on the dark web. That's about $280 at today's exchange rate, so collecting big dollars quickly isn't the point of this malware exercise.

As for what the point might be, clues can come from the location of the early infestations -- media organizations in Russia and Eastern Europe. Diruption, rather than revenue, seems the primary objective. As of this writing, there are very few infections in North America, with most infected systems remaining in Eastern Europe and Russia. Microsoft has issued a security bulletin on Bad Rabbit and US-CERT has issued an initial advisory, with advice for defense and remediation linking back to advisories on WannaCry and NotPetya.

For now, there are defensive steps to be taken. Some are obvious, and consistent between all ransomware attacks: Make sure malware defenses are updated and remind users not to do silly user things. For those who want to be more proactive, it has been reported that adding a specific file with specific permissions to a Windows system will "vaccinate" it against Bad Rabbit infection.

It is impossible to know just how widely Bad Rabbit will spread or how much damage it will do. Until the full impact is known, it seems appropriate to prepare, defend and assume that this is a very naughty bunny, indeed.

Cover Image courtesy Marit & Toomas Hinnosaar via Flickr

Related posts:

— Curtis Franklin is the editor of SecurityNow.com. Follow him on Twitter @kg4gwa.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Cloud Security Threats for 2021
Or Azarzar, CTO & Co-Founder of Lightspin,  12/3/2020
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Assessing Cybersecurity Risk in Todays Enterprises
Assessing Cybersecurity Risk in Todays Enterprises
COVID-19 has created a new IT paradigm in the enterprise and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27772
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in coders/bmp.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type `unsigned int`. This would most likely lead to an impact to application availability, but could po...
CVE-2020-27773
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/gem-private.h. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type `unsigned char` or division by zero. This would most likely lead to an impact to appli...
CVE-2020-28950
PUBLISHED: 2020-12-04
The installer of Kaspersky Anti-Ransomware Tool (KART) prior to KART 4.0 Patch C was vulnerable to a DLL hijacking attack that allowed an attacker to elevate privileges during installation process.
CVE-2020-27774
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/statistic.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of a too large shift for 64-bit type `ssize_t`. This would most likely lead to an impact to application availability, but co...
CVE-2020-27775
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/quantum.h. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type unsigned char. This would most likely lead to an impact to application availability, but c...