Researchers found the new Bad Rabbit ransomware attacks spreading through Eastern Europe have connections to other recent ransomware threats and the actors responsible may have been planning the attacks for quite a while.
The Bad Rabbit ransomware was first spotted on Tuesday after infecting three large media outlets in Russia. Since then, researchers have seen the Bad Rabbit ransomware spread, though the majority of the victims have been in Russia and Ukraine.
Although the attacks are recent, Yonathan Klijnsma, threat researcher at RiskIQ, a digital threat management company headquartered in San Francisco, noted that the infrastructure supporting Bad Rabbit and the initial compromise may have happened long ago.
"Even though the Bad Rabbit ransomware is brand new, we can track the distribution vector back to early 2016 showing that victims were compromised long before the ransomware struck and the news cycle began," Klijnsma wrote in a blog post. "In fact, the campaign could have been originally built for something other than Bad Rabbit."
The Bad Rabbit ransomware was reportedly distributed via a fake Adobe Flash installer, and Costin Raiu, director of the global research and analysis team for Kaspersky Lab, confirmed part of the planning behind the attacks.
Bad Rabbit vs. NotPetya ransomware
Soon after the Bad Rabbit ransomware was spotted, researchers drew comparisons between it and NotPetya due to the ability of both to propagate in a worm-like fashion. Bad Rabbit was also found to exploit the same Windows Server Message Block vulnerability (MS17-010) and encrypt the master boot record, just like NotPetya.
Matt Suiche, founder of Comae Technologies, noted on Twitter that the two ransomware variants had much more in common than most thought.
BadRabbit is not only similar to NotPetya, it *is* NotPetya recompiled and including bugfixes. See below the lateral movement routine. pic.twitter.com/Pdq6P0TwD7— Matthieu Suiche (@msuiche) October 26, 2017
Raef Meeuwisse, governance expert at ISACA, said the Bad Rabbit ransomware attackers even appeared "to have spent a lot of time on refining the monetization model" in order to fix the issues causing NotPetya victims to be unable to decrypt data.
Matt Suichefounder, Comae Technologies
"The malware provides a unique key to each machine it infects, so it is possible you may really be able to buy the decryption key from the hackers, for a while at least," Meeuwisse told SearchSecurity. "The hackers also set a relatively low initial ransom payment demand (~$280), with that cost doubling after a countdown period -- and likely to continue doubling. That is a long established pressure sales technique."
Experts, including Gabriel Gumbs, vice president of product strategy for Stealthbits Technologies, a cybersecurity software company based in Hawthorne, N.J., noted that the Bad Rabbit ransomware used "the open source tool Mimikatz to harvest credentials."
"This could simply be to widen its reach internally for the purpose of further encrypting the files of users with elevated privileges, it may be being used to hide inside of compromised networks, or the ransom itself could be a decoy from the attack's real purpose," Gumbs told SearchSecurity. "What we can definitively say today is the only reason you would package Mimikatz with ransomware is for the purpose of further exploiting internal networks -- not simply to ransom files."
Mitigating the risk of the Bad Rabbit ransomware
Bob Rudis, chief data scientist at Rapid7, said one of the first things to be wary of would be updating software too quickly.
"It would be a good idea to hold off on clicking any 'update' button until endpoint and perimeter protection vendors have had a chance to fully analyze this new threat and generate configurations for their products and update filtering options for their appliances," Rudis wrote in an advisory post. "That may sound strange, but if you're in a managed organization, your IT department should be controlling when updates happen. If you are an individual user, there will be more short-term harm in clicking an unfamiliar 'update' button then (sic) there will be in holding off for an extra day or two."
Rudis and other experts also offered familiar advice for those affected by any ransomware: Hope there is a recent backup from which to restore data.
In terms of preventing a Bad Rabbit ransomware infection, Jake Williams, founder of consulting firm Rendition InfoSec LLC in Augusta, Ga., had a more basic suggestion.
Steps to avoid a #BadRabbit outbreak:— Jake Williams (@MalwareJake) October 24, 2017
1. Don't let users run as Admin.
2. You're done.
And, as a more technical option, Amit Serper, security researcher at Boston-based Cybereason -- who had also found a way to mitigate the NotPetya ransomware -- created a Bad Rabbit vaccine.
I can confirm - Vaccination for #badrabbit:— Amit Serper (@0xAmit) October 24, 2017
Create the following files c:\windows\infpub.dat && c:\windows\cscc.dat - remove ALL PERMISSIONS (inheritance) and you are now vaccinated. :) pic.twitter.com/5sXIyX3QJl
Learn how limiting administrative access can protect your enterprise.
Find out 10 ways to prevent breaches and minimize impact.
Get info on how ransomware attacks have changed.