Bad Rabbit: what we know


Posted on: Oct 30, 2017 by Lukasz Olszewski

As the third massive ransomware outbreak of the year, ‘Bad Rabbit’, draws to a close, let’s have a look at the evolution of the recent attacks: Wannacry, NotPetya and Bad Rabbit.

Although these attacks are the first self-propagating ransomworms that can both encrypt a system & spread automatically by exploiting vulnerabilities in network and system devices,  still, they all follow the line of least resistance. They can, therefore, be prevented and contained quite easily.

Their evolution is as follows:

  • Wannacry exploited a Microsoft SMB vulnerability (MS17-010) and used an NSA leaded exploit (EternalBlue). This could be infected without user intervention and simply took advantage of organizations not managing the patch process adequately.
  • NotPetya creators assumed that the patches or filtering had happened already at the Internet facing perimeter and so they modified a software update (an accounting software in the Ukraine), which then updated itself and thus infected systems.
  • Bad Rabbit was a hybrid approach. It actually relied on the end user downloading a file, ignoring the security alert. Once downloaded it moved through a network by scanning for common passwords and stealing credentials.

As covered in a blog post in June after the Wannacry attack, Leading the fightback against ransomware, there are a few steps organizations can take to protect themselves. These include:

  • Ensuring you are updating the software you have with the patches issued
  • Make sure your employees are aware when not to download a file
  • Bringing in required security levels for passwords

We must note that Bad Rabbit is still unfolding. More may come out about the nature and objective of this attack.

For us, in our investigations, we believe that although this falls under the category of ransomware – there was indeed a ransom asked and communication about it sent to those affected – it doesn’t quite feel like a ransom was the end goal. I’m sure we will learn more in the coming weeks but the similarities to NotPetya and the geolocation suggest a more disruptive aim.

Regardless of the aim, these attacks are extremely disruptive and costly. We must stay a step ahead and maintain security protocols. We cannot be complacent.

 

Share this blog article


About Lukasz Olszewski

VIEW ALL POSTS BY Lukasz Olszewski
CSIRT Lead Europe
Lukasz Olszewski is a Senior Expert in Atos Digital Experts Community. He currently leads Atos Computer Security Incident Response Team in Europe delivering security incident response, forensics, threat hunting and malware analysis services. Lukasz has a degree in Computer Science and has previously worked as System and Network Administrator in a large Polish IT company working mostly with Linux and Unix systems. After that he joined the Royal Bank of Scotland as Technology Risk Analyst working on information security risk assessments. In 2013 Lukasz joined Atos as a Security Engineer and later took the role of the Lead Architect in the area of SIEM and security monitoring, detection and analysis. Lukasz has taken part in many global security projects, multiple proof of concepts and authored multiple security service processes.

 
VIEW ALL EXPERTS

Related articles

Securing the IoT
Why Managed IoT Security Services is the next big thing
In the age of cyber trust, robust cyber security is more important than ever
Value Driven Computing

Related Links

Categories