Skip to main content

Our website uses cookies to give you the most optimal experience online by: measuring our audience, understanding how our webpages are viewed and improving consequently the way our website works, providing you with relevant and personalized marketing content.
You have full control over what you want to activate. You can accept the cookies by clicking on the “Accept all cookies” button or customize your choices by selecting the cookies you want to activate. You can also decline all non-necessary cookies by clicking on the “Decline all cookies” button. Please find more information on our use of cookies and how to withdraw at any time your consent on our privacy policy.

Privacy policy

Managing your cookies

Our website uses cookies. You have full control over what you want to activate. You can accept the cookies by clicking on the “Accept all cookies” button or customize your choices by selecting the cookies you want to activate. You can also decline all non-necessary cookies by clicking on the “Decline all cookies” button.

Necessary cookies

These are essential for the user navigation and allow to give access to certain functionalities such as secured zones accesses. Without these cookies, it won’t be possible to provide the service.
Matomo on premise

Marketing cookies

These cookies are used to deliver advertisements more relevant for you, limit the number of times you see an advertisement; help measure the effectiveness of the advertising campaign; and understand people’s behavior after they view an advertisement.
Adobe Privacy policy | Marketo Privacy Policy | Pardot Privacy Policy | Oktopost Privacy Policy | MRP Privacy Policy | AccountInsight Privacy Policy | Triblio Privacy Policy

Social media cookies

These cookies are used to measure the effectiveness of social media campaigns.
LinkedIn Policy

Our website uses cookies to give you the most optimal experience online by: measuring our audience, understanding how our webpages are viewed and improving consequently the way our website works, providing you with relevant and personalized marketing content. You can also decline all non-necessary cookies by clicking on the “Decline all cookies” button. Please find more information on our use of cookies and how to withdraw at any time your consent on our privacy policy.

Bad Rabbit: what we know


Posted on: October 30, 2017 by Lukasz Olszewski

As the third massive ransomware outbreak of the year, ‘Bad Rabbit’, draws to a close, let’s have a look at the evolution of the recent attacks: Wannacry, NotPetya and Bad Rabbit.

Although these attacks are the first self-propagating ransomworms that can both encrypt a system & spread automatically by exploiting vulnerabilities in network and system devices, still, they all follow the line of least resistance. They can, therefore, be prevented and contained quite easily.

Their evolution is as follows:

  • Wannacry exploited a Microsoft SMB vulnerability (MS17-010) and used an NSA leaded exploit (EternalBlue). This could be infected without user intervention and simply took advantage of organizations not managing the patch process adequately.
  • NotPetya creators assumed that the patches or filtering had happened already at the Internet facing perimeter and so they modified a software update (an accounting software in the Ukraine), which then updated itself and thus infected systems.
  • Bad Rabbit was a hybrid approach. It actually relied on the end user downloading a file, ignoring the security alert. Once downloaded it moved through a network by scanning for common passwords and stealing credentials.

As covered in a blog post in June after the Wannacry attack, Leading the fightback against ransomware, there are a few steps organizations can take to protect themselves. These include:

  • Ensuring you are updating the software you have with the patches issued
  • Make sure your employees are aware when not to download a file
  • Bringing in required security levels for passwords

We must note that Bad Rabbit is still unfolding. More may come out about the nature and objective of this attack.

For us, in our investigations, we believe that although this falls under the category of ransomware – there was indeed a ransom asked and communication about it sent to those affected – it doesn’t quite feel like a ransom was the end goal. I’m sure we will learn more in the coming weeks but the similarities to NotPetya and the geolocation suggest a more disruptive aim.

Regardless of the aim, these attacks are extremely disruptive and costly. We must stay a step ahead and maintain security protocols. We cannot be complacent.

 

Share this blog article


About Lukasz Olszewski
View all posts by Lukasz Olszewski
Global Head of CERT – BDS at Atos and member of the Scientific Community
Lukasz Olszewski is a cybersecurity expert and leader with over 13 years of experience. He is a Distinguished Expert in Atos Experts Community. He currently leads Atos Computer Emergency Response Team (CERT) delivering digital forensics, security incident response, malware analysis, threat hunting, red teaming and intelligence services. Lukasz has a degree in Computer Science and has previously worked as System Administrator working mostly with Linux and Unix systems. After that he joined the Royal Bank of Scotland as Technology Risk Analyst working on information security risk assessments. In 2013 Lukasz joined Atos as a Security Engineer and later took the role of the Lead Architect in the area of SIEM and security monitoring, detection and analysis. Lukasz has responded to many severe security incidents, taken part in many global security projects, major R&D initiatives, multiple proof of concepts and authored many security service processes. Lukasz is also Certified Information Systems Professional (CISSP), GIAC Certified Incident Handler (GCIH), GIAC Certified Forensic Analyst (GCFA) and Certified Ethical Hacker (CEHv8).

Follow or contact Lukasz


 
View all blogs

Related Links