Bad Rabbit Ransomware: 9 Things We Know So Far

by | Nov 2, 2017 | Security

Last week, another major ransomware attack hit organizations throughout Russia, Ukraine and Eastern Europe. Nicknamed “Bad Rabbit” ransomware, the strain looks a lot like NotPetya, which crippled thousands of businesses last June, but there are a few important differences to know.

The Bad Rabbit attack, though smaller in scale than NotPetya and WannaCry last May, is yet another troubling sign that ransomware isn’t going away anytime soon.

To make matters worse, just days after hundreds of organizations reported being hit by the cyberattack, a new study was released showing that ransomware markets are booming.

The research found:

  • 2,502% increase in ransomware software sales from 2016 to 2017 on the top dark web marketplaces that fuel ransomware distribution
  • Roughly $6.2 million in sales of ransomware software, up from the year’s previous total of about $250,000
  • 4,000% increase in ransomware payouts previous year – totaling more than $1 billion

How can ransomware be stopped?

For starters, people need to stop paying the ransomware. Below, we’ll go over the single best way that every business can avoid those payouts (and get their data back)—but first, let’s look at what we know about Bad Rabbit ransomware.

The Facts about Bad Rabbit Ransomware

1) Roughly 200 companies hit

By the end of last week, experts estimated there had been approximately 200 successful infections of Bad Rabbit ransomware. By comparison, NotPetya was believed to hit about 2,000 companies in the first day, and WannaCry infected more than 230,000 systems in 150 countries.

This makes Bad Rabbit a much smaller incident, though the ransomware itself is no less destructive.

2) Attacks focused on Russia and Eastern Europe

Bad Rabbit also didn’t spread as widely (geographically) as other major ransomware outbreaks did. The attacks last week occurred mostly in Russia. Infections were also reported in Ukraine, Turkey and Germany.

Some of the highest-profile victims included the Odessa International Airport and the Kiev Metro in Ukraine. In Russia, the attack hit the news agency Interfax and at least three additional media organizations. It was later reported that some Russian banks, including Otkrytiye, were also targeted, but their systems were not fully compromised.

3) Same destructive data encryption

Like most strains of ransomware, Bad Rabbit is designed to encrypt data on computers and servers, making it inaccessible without a decryption key. Victims are instructed by the ransomware to submit payment (in the form of Bitcoin) with the promise that these decryption keys will be provided.

Ransomware doesn’t simply encrypt a few random photos or Word docs. It generally makes a computer unusable, and shared network files also become inaccessible on other devices. So business-critical data, including the files that run your business-critical applications, are effectively gone.

Ilya Sachkov, director of Russian cyber-security firm Group-IB, explained to TASS news agency

how most organizations were affected: “In some of the companies, the work has been completely paralyzed – servers and workstations are encrypted.”

In the case of Bad Rabbit, victims received a link to a Tor payment page with a request for 0.05 bitcoin – roughly $285 USD. The page also included a countdown timer, warning that the ransom demands will increase if payment isn’t submitted before time runs out.

4) Targeted attacks

Researchers believe the attacks were specifically targeted at corporate networks. Most ransomware tends to be indiscriminate, infecting as many machines as possible, generally by spamming as many email addresses as possible with a malicious link or attachment.

However, attacks against corporate networks tend to net bigger payments, due to the higher stakes involved. Many companies are more willing to pay the ransom than individuals, because they literally can’t afford to lose their data. (Losing the data—or taking too long to recover it—can mean losing the business.)

Bad Rabbit sends a clear signal that cybercriminals are becoming more selective in their attacks, going after organizations with the hope of boosting their earnings.

According to ZDNet, researchers at ESET found that cyberattacks use a special script embedded into their infected websites that helped them determine “if the visitor is of interest,” i.e. if it was a corporate user worth attacking. If so, the script then added content to the page to proceed with the infection.

5) It’s a lot like NotPetya

Bad Rabbit looks and acts a lot like NotPetya ransomware. The ransomware note itself looks a lot like NotPetya’s, but also the code that runs it is similar too. In fact, researchers found that Bad Rabbit and NotPetya’s dynamic link library (DLL) share 67 percent of the same code.

Like NotPetya, Bad Rabbit can spread across networks without requiring further action by a user. This is by exploiting the Server Message Block (SMB). As ZDNet explains, “What aids Bad Rabbit’s ability to spread is a list of simple username and password combinations which it can exploit to brute-force its way across networks.”

Because of the similarities between the two variants, some have speculated that the same developers could be behind both. However, as with NotPetya attacks, it’s not yet clear who is behind Bad Rabbit.

Despite their similarities, there are some very important differences between the two…

YOU MIGHT ALSO LIKE:  Ransomware Statistics 2016 - 2017: A Scary Trend in Cyberattacks

6) The infection begins via a fake Flash update

Bad Rabbit gets onto networks initially by fooling a user with a fake message that reads “An update to Adobe Flash Player is available.” This message appears on websites that a user may normally visit, but which have been compromised.

These websites (mostly Russian, Turkish and Bulgarian) were infected via a JavaScript that was added to the HTML body or within their .js files.

When the user clicks the “Install” button on the fake Flash message, their machine receives a dropper that enables the full malicious install to take place, after which it can then spread laterally across the network.

7) No EternalBlue exploit needed

Another important difference between NotPetya and Bad Rabbit is that Bad Rabbit does not use the EternalBlue exploit, which was a critical component in the attacks last May and June.

You may recall that WannaCry and NotPetya used the EternalBlue exploit (notorious for being developed by the U.S. National Security Agency) to take advantage of known vulnerabilities in Windows systems—specifically vulnerabilities in the SMB protocol that allow malware to spread across networks without user interaction.

So far, there has been no evidence that Bad Rabbit used EternalBlue. This is an alarming sign that ransomware attackers are figuring out other, more sophisticated ways to infect networks.

8) A “trick” to preventing infection

If you’re worried you may fall victim to Bad Rabbit, whether you’re using the appropriate security precautions or not, there’s one small step you can take to protect yourself.

According to Kaspersky Lab, all you need to do is block execution of the file: “c: \ windows \ infpub.dat, C: \ Windows \ cscc.dat.” Here are some more tips on how to do that.

9) Game of Thrones references?

Yes, really.

Apparently the perpetrators behind Bad Rabbit are fans of Game of Thrones—or they’re just throwing in some random surprises for the heck of it. A close analysis of Bad Rabbit reveals that the code contains a few references to Viserion, Drogon, and Rhaegal—names of dragons in George R.R. Martin’s books and the HBO series.

This has no significance, other than the fact that these attackers are clearly having a lot of fun while they destroy businesses and extort people’s money.

How can we stop this?

It’s no secret that our global ransomware problem is only just beginning. The consensus among experts is that ransomware is only going to get worse: smarter, more destructive and more profitable for the perpetrators.

ZDNet published a fascinating article this week that highlights four frightening ways that this “nightmare” is going to get worse in the months ahead:

  • Ransomware will become more of a diversion: Aside from the encryption, ransomware will do more destructive things behind the scenes, like data scraping and illegal fund transfers.
  • More doxxing and black mail: Ransomware will begin to not only lock your data but threaten to publish sensitive or incriminating information online unless you pay up.
  • More enterprise attacks, bigger ransom demands: Attackers have only just tested the waters for how high their ransom demands can go. Most demands still average under $2,000, but as the attacks continue to target larger organizations, experts predict more attackers will begin asking for sums in the millions.
  • More exploits: Attacks like WannaCry and NotPetya have revealed just how utterly unprepared businesses are—not just in terms of their data backup solutions, but also in that their operating systems and software are horribly unpatched. Attackers will continue to use exploits to spread farther and faster across networks, knowing that companies still aren’t taking the necessary precautions to update their systems.

As you probably already know by now, it is crucial that your business implements a dependable backup and disaster recovery (BDR) system, which will enable you to quickly roll back to clean data after an attack, thus removing the threat and minimizing downtime.

But as for the larger threat of ransomware itself, it needs to be repeated how important it is for businesses to stop paying the ransom. In the study mentioned above, which found ransomware markets to be exploding, researchers appropriately concluded: “The system only works if victims choose to pay. Until people decide not to pay, this problem will only continue to grow.”

Tracy Rock is the Director of Marketing at Invenio IT. Tracy is responsible for all media-related initiatives as well as external communications—including, branding, public relations, promotions, advertising and social media. She is one busy lady and we are lucky to have her!

subscribe

Business Continuity Newsletter

Join over 17,000 subscribers and receive weekly business continuity news, tips & advice to protect your business.

You have Successfully Subscribed!