Bad Rabbit: what we know
As the third massive ransomware outbreak of the year, ‘Bad Rabbit’, draws to a close, let’s have a look at the evolution of the recent attacks: Wannacry, NotPetya and Bad Rabbit.
Although these attacks are the first self-propagating ransomworms that can both encrypt a system & spread automatically by exploiting vulnerabilities in network and system devices, still, they all follow the line of least resistance. They can, therefore, be prevented and contained quite easily.
Their evolution is as follows:
- Wannacry exploited a Microsoft SMB vulnerability (MS17-010) and used an NSA leaded exploit (EternalBlue). This could be infected without user intervention and simply took advantage of organizations not managing the patch process adequately.
- NotPetya creators assumed that the patches or filtering had happened already at the Internet facing perimeter and so they modified a software update (an accounting software in the Ukraine), which then updated itself and thus infected systems.
- Bad Rabbit was a hybrid approach. It actually relied on the end user downloading a file, ignoring the security alert. Once downloaded it moved through a network by scanning for common passwords and stealing credentials.
As covered in a blog post in June after the Wannacry attack, Leading the fightback against ransomware, there are a few steps organizations can take to protect themselves. These include:
- Ensuring you are updating the software you have with the patches issued
- Make sure your employees are aware when not to download a file
- Bringing in required security levels for passwords
We must note that Bad Rabbit is still unfolding. More may come out about the nature and objective of this attack.
For us, in our investigations, we believe that although this falls under the category of ransomware – there was indeed a ransom asked and communication about it sent to those affected – it doesn’t quite feel like a ransom was the end goal. I’m sure we will learn more in the coming weeks but the similarities to NotPetya and the geolocation suggest a more disruptive aim.
Regardless of the aim, these attacks are extremely disruptive and costly. We must stay a step ahead and maintain security protocols. We cannot be complacent.