Bad Rabbit: what we know

Posted on: October 30, 2017 by Lukasz Olszewski

As the third massive ransomware outbreak of the year, ‘Bad Rabbit’, draws to a close, let’s have a look at the evolution of the recent attacks: Wannacry, NotPetya and Bad Rabbit.

Although these attacks are the first self-propagating ransomworms that can both encrypt a system & spread automatically by exploiting vulnerabilities in network and system devices, still, they all follow the line of least resistance. They can, therefore, be prevented and contained quite easily.

Their evolution is as follows:

  • Wannacry exploited a Microsoft SMB vulnerability (MS17-010) and used an NSA leaded exploit (EternalBlue). This could be infected without user intervention and simply took advantage of organizations not managing the patch process adequately.
  • NotPetya creators assumed that the patches or filtering had happened already at the Internet facing perimeter and so they modified a software update (an accounting software in the Ukraine), which then updated itself and thus infected systems.
  • Bad Rabbit was a hybrid approach. It actually relied on the end user downloading a file, ignoring the security alert. Once downloaded it moved through a network by scanning for common passwords and stealing credentials.

As covered in a blog post in June after the Wannacry attack, Leading the fightback against ransomware, there are a few steps organizations can take to protect themselves. These include:

  • Ensuring you are updating the software you have with the patches issued
  • Make sure your employees are aware when not to download a file
  • Bringing in required security levels for passwords

We must note that Bad Rabbit is still unfolding. More may come out about the nature and objective of this attack.

For us, in our investigations, we believe that although this falls under the category of ransomware – there was indeed a ransom asked and communication about it sent to those affected – it doesn’t quite feel like a ransom was the end goal. I’m sure we will learn more in the coming weeks but the similarities to NotPetya and the geolocation suggest a more disruptive aim.

Regardless of the aim, these attacks are extremely disruptive and costly. We must stay a step ahead and maintain security protocols. We cannot be complacent.


Share this blog article

About Lukasz Olszewski
Global Head of CERT – BDS at Atos and member of the Scientific Community
Lukasz Olszewski is a cybersecurity expert and leader with over 13 years of experience. He is a Distinguished Expert in Atos Experts Community. He currently leads Atos Computer Emergency Response Team (CERT) delivering digital forensics, security incident response, malware analysis, threat hunting, red teaming and intelligence services. Lukasz has a degree in Computer Science and has previously worked as System Administrator working mostly with Linux and Unix systems. After that he joined the Royal Bank of Scotland as Technology Risk Analyst working on information security risk assessments. In 2013 Lukasz joined Atos as a Security Engineer and later took the role of the Lead Architect in the area of SIEM and security monitoring, detection and analysis. Lukasz has responded to many severe security incidents, taken part in many global security projects, major R&D initiatives, multiple proof of concepts and authored many security service processes. Lukasz is also Certified Information Systems Professional (CISSP), GIAC Certified Incident Handler (GCIH), GIAC Certified Forensic Analyst (GCFA) and Certified Ethical Hacker (CEHv8).

Follow or contact Lukasz