Update: Further details on BadRabbit's spread, vaccine posted

News by Doug Olenick

Update: Several Russian news agencies and additional targets in the Ukraine have reportedly being hit with cyber-attacks, which the security firm GroupIB believes to be based on a new variant of Petya called BadRabbit.

Update: Several Russian news agencies and additional targets in the Ukraine have reportedly being hit with cyber-attacks, which the security firm GroupIB believes to be based on a new variant of Petya called BadRabbit.

GroupIB reported on Twitter that the Russian Interfax news agency is down due to a cyber-attack. Interfax has confirmed the report and has continued posting news stories along with updates on its own situation on its Facebook page. Check Point said the Ukrainian targets included Kyiv Metro (Ukrainian underground train services), Odessa Airport (Ukraine), Ukrainian ministries of infrastructure and finance.

Cybereason researcher Mike Iacovacci has posted a series of steps to take that will prevent a system from being infected with BadRabbit. Click here for the instructions.

Early reports indicate a BadRabbit is being spread through a fake Adobe Flash Player update that pops up on some Russian news media sites and the attacker is demanding a 0.05 bitcoin ransom, about £214. Images posted on Twitter show the ransom note is written in English even though no English speaking country has been reported hit.

At this early stage there is also some disagreement over whether or not the malware is using the same EternalBlue exploit or something similar that was successfully utilised by Wannacry and Petya earlier this year. Check Point noted that the lock screen displayed once a computer is encrypted, using the open source DiskCryptor software, is similar to what was used in Petya and NotPetya attacks.

"However, this is the only similarity we can observe between both malware, in all other aspects BadRabbit is a completely new and unique ransomware," Check Point said in a statement to SC Media. 

Dave Maasland, an ESET managing director, said in a tweet that EtneralBlue is not in play with BadRabbit.

“Now we can confirm, no Eternalblue or any other SMB exploit inside, the SMB protocol is used only to check hardcoded credentials,” he tweeted.

However, Nick Carr, security consulting and incident response at Mandiant, posted on Twitter that BadRabbit drops and executes c:\windows\infpub.dat by ordinal function and he is expecting many similarities to EternalPetya with this new attack.

Adam Meyers, CrowdStrike's vice president of Intelligence, said the initial investigation suggests several parallels with NotPetya malware, although verification of these overlaps is ongoing at this time.

Crowdstrike also believes,  "BadRabbit is likely delivered via the website  argumentiru[.]com which is a current affairs, news and celebrity gossip website focusing on Russian and near-abroad topics. CrowdStrike Intelligence can confirm that this website was hosting a malicious JavaScript inject as part of a Strategic Web Compromise (SWC) attack on 24 October 2017,” Meyers told SC Media.

“There are reports that the mechanism involves using the tool Mimikatz to steal passwords to spread in a worm-like fashion but so far the damage does not seem as wide spread as WannaCry or NotPetya,” said Chris Doman, security researcher at AlienVault.

Matthias Maier, security evangelist at Splunk emailed SC Media UK to advise that best practice for businesses  to defend themselves is that they, "...should be monitoring activity from across their IT estate to baseline normal and enable them to quickly detect any irregular patterns that could indicate compromise by a malicious actor. However, as news about the latest threats spread online, they should also carefully monitor for the latest insights coming up every minute from security researchers around the world to understand what the infection vectors are, how the ransomware works and what vulnerabilities allows the ransomware to quickly spread in a network. Security teams need to be able to analyse if their environment is potentially vulnerable and if they see any indicators of an infection starting in order to take appropriate countermeasures quickly.

"It appears that BadRabbit creates three new scheduled tasks on a system, including a forced restart - by searching for this specific occurrence in monitored log data from endpoints, an organisation will be able to identify patient zero earlier, and act to isolate the impact. The current situation with BadRabbit is once more a reminder of how important it has become for organisations in the digital age to have a skilled security team on standby, with the right technology in place to access the right information and take the right decisions quickly to avoid any business impact. A robust security strategy has become a competitive advantage."

Nick Pollard, Director, Security & Intelligence, Nuix adds in an email to SC Media UK, "Bad Rabbit is another example of ransomware in the same vein as WannaCry and NotPetya. Those attacks showed a fundamental weakness in many businesses, antivirus is only as good as its signature database (which often lags days or even weeks behind an attack). Sadly, these attacks also underscore the fact that end users are a serious vulnerability as well; it only takes one person in the organisation to fall for the fake attachment to introduce it to your network.

"What's needed is a fresh approach in this escalating arms race. We need to place on each and every endpoint a means to prevent self-harm and block a user's attempt (though very often inadvertent) to infect the machine and, by extension, the rest of the network. Relying on rapidly-outdated antivirus definitions and operating system patches simply isn't enough. Furthermore, we have to address the gap that exists between these traditional, and still necessary, defences.

He concludes, "The only way to win the cyber-security war is to prevent the attack from happening in the first place. Organisations must change their security posture. Prevention needs to be at the forefront of any ransomware strategy. Since the endpoint is ground-zero for ransomware attacks, what organisations need is the ability to detect and put a stop to malicious behaviour as early as possible in the kill chain."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews