New Bad Rabbit Ransomware Spreads Rapidly Across Multiple Countries
New Windows ransomware, dubbed ‘Bad Rabbit’, is spreading rapidly across corporate networks in Russia, Ukraine, across Europe, in the U.S., and Japan.
The ransomware started to infect systems on Tuesday, October 24 2017. CIPHER researchers noted that this new ransomware has similarities to WannaCry and Petya. It is actually a variant of NotPetya, with DLLs sharing 67% of the code.
Bad Rabbit’s first infection move is to pose as an Adobe Flash update when surfing to a compromised web site. The fake Adobe update requires that the user click to execute a file. Once caught it then moves laterally through networks with SMB exploits, although it is reported that Bad Rabbit does not use the EternalBlue exploit. Lateral movement is achieved also by using the Mimikatz method of harvesting administrative credentials from system memory.
Encryption of files is achieved using open source DiskCryptor. The ransom demanded is .05 bitcoin, about $900 per infected computer. Paying the ransom is not a guarantee of getting your files back.
Indicators of Compromise (IOCs)
Indicator | Type | Context |
8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93 b14d8faf7f0cbcfad051cefe5f39645f |
SHA256/MD5 | dispci.exe |
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648 1d724f95c61f1055f0d02c2154bbccd3 |
SHA256/MD5 | infpub.dat |
630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da fbbdc39af1139aebba4da004475e8839 |
SHA256/MD5 | FlashUtil. |
Researchers continue with more detailed analysis.
How to Protect Yourself
- If presented with a software update prompt while navigating a web site, go to the manufacturer’s web site to check for an update instead.
- Always have backups of sensitive data.
- Always have updated endpoint protection. Automatic updates are recommended.
- Keep Windows up-to-date. Automatic updates are recommended.
Get more practical tips on combatting ransomware in our ‘What’s Next After WannaCry?’ blog.
If you’re one of our Carbon Black customers, please also take a look at their latest blog that includes a detailed analysis of ‘Bad Rabbit’. This blog post will help you understand how the Bad Rabbit attack works and provide some recommendations on how to prevent it using Cb Defense. http://bit.ly/badrabbit_cipher
0 Comments