Bad Rabbit: what we know


Posted on: October 30, 2017 by Lukasz Olszewski

As the third massive ransomware outbreak of the year, ‘Bad Rabbit’, draws to a close, let’s have a look at the evolution of the recent attacks: Wannacry, NotPetya and Bad Rabbit.

Although these attacks are the first self-propagating ransomworms that can both encrypt a system & spread automatically by exploiting vulnerabilities in network and system devices,  still, they all follow the line of least resistance. They can, therefore, be prevented and contained quite easily.

Their evolution is as follows:

  • Wannacry exploited a Microsoft SMB vulnerability (MS17-010) and used an NSA leaded exploit (EternalBlue). This could be infected without user intervention and simply took advantage of organizations not managing the patch process adequately.
  • NotPetya creators assumed that the patches or filtering had happened already at the Internet facing perimeter and so they modified a software update (an accounting software in the Ukraine), which then updated itself and thus infected systems.
  • Bad Rabbit was a hybrid approach. It actually relied on the end user downloading a file, ignoring the security alert. Once downloaded it moved through a network by scanning for common passwords and stealing credentials.

As covered in a blog post in June after the Wannacry attack, Leading the fightback against ransomware, there are a few steps organizations can take to protect themselves. These include:

  • Ensuring you are updating the software you have with the patches issued
  • Make sure your employees are aware when not to download a file
  • Bringing in required security levels for passwords

We must note that Bad Rabbit is still unfolding. More may come out about the nature and objective of this attack.

For us, in our investigations, we believe that although this falls under the category of ransomware – there was indeed a ransom asked and communication about it sent to those affected – it doesn’t quite feel like a ransom was the end goal. I’m sure we will learn more in the coming weeks but the similarities to NotPetya and the geolocation suggest a more disruptive aim.

Regardless of the aim, these attacks are extremely disruptive and costly. We must stay a step ahead and maintain security protocols. We cannot be complacent.

 

Share this blog article


About Lukasz Olszewski

CSIRT and Threat Intelligence Lead, Europe
Lukasz Olszewski is a cybersecurity expert and leader with over 10 years of experience. He is also a Senior Expert in Atos Digital Experts Community. He currently leads Atos Computer Security Incident Response and Threat Intelligence Teams in Europe delivering EDR, security incident response, forensics, malware analysis, threat hunting and intelligence services. Lukasz has a degree in Computer Science and has previously worked as System Administrator working mostly with Linux and Unix systems. After that he joined the Royal Bank of Scotland as Technology Risk Analyst working on information security risk assessments. In 2013 Lukasz joined Atos as a Security Engineer and later took the role of the Lead Architect in the area of SIEM and security monitoring, detection and analysis. Lukasz has responded to many severe security incidents, taken part in many global security projects, major R&D initiatives, multiple proof of concepts and authored many security service processes. Lukasz is also Certified Information Systems Professional  (CISSP), GIAC Certified Incident Handler (GCIH), GIAC Certified Forensic Analyst (GCFA) and Certified Ethical Hacker (CEHv8).

Follow or contact Lukasz