A new type of ransomware called 'Bad Rabbit' has made itself known, mostly found to be spreading to organisations in Ukraine and Russia. What do you need to know?
What does it do?
The ransomware has infected Russian websites including news agency Interfax as well as an airport in Ukraine and a metro system in Kiev, and is known to that country's police who are currently investigating. US officials, meanwhile, stated that reports of Bad Rabbit had been received from "many countries around the world".
Ransomware – that is, malicious software that blocks access to the contents of a system and demands payment for it to be unlocked – is hardly a new phenomenon. But the WannaCry and then Petya ransomware caused widespread chaos worldwide earlier this year, and has firmly shifted the terminology into the public psyche.
For its part, Bad Rabbit encrypts a computer and then demands a payment of 0.05 bitcoins, worth roughly just over £200.
The amount of the payment, which will be relative peanuts to some of the organisations hit, suggests a 'spray and pray' tactic where malicious actors bank on victims thinking it's more trouble than it's worth not to pay up. Of course, there's no confirmation anyone who pays will get their data back, and there are some reports out there of previous ransomware victims coughing up only to find that law enforcement had intervened to prevent successful payments.
How does it work?
Kaspersky Lab notes that when visiting a legitimate website, a malware dropper is downloaded from the malicious actor's infrastructure, distributed as a drive-by attack from hxxp://1dnscontrol[.]com/flash_install.php
There is no exploit here, Kaspersky says, so the victim has to manually execute the malware dropper, which is disguised as an installer for Adobe Flash – the file is called install_flash_player.exe. It requires admin privileges, and if it's started, will save a malicious DLL as infpub.dat and launch with rundl32.
Kaspersky says that this DLL appears to be able to brute-force NT Lan Manager (NTLM) login credentials for Windows machines.
Security researchers at Cylance say that there are five embedded executables in infpub.dat, and these are:
- Two versions of Mimikatz, x86 and x64, that look for credentials on the machine, designed to spread to other machines (think corporate networks).
- Two versions of a signed driver, also x86 and x64, for physical access to the boot sector and full disk encryption.
- A module that infects the boot record and produces the ransom message.
When it's on a machine infpub.dat will install a malicious executable, dispci.exe, into C:\Windows and schedule a task to launch the file. The code base of discpi looks similar to the open-source DiskCryptor utility, says Kaspersky, but is used to encrypt files and install a modified bootloader.
What to do
First thing's first, enable easily available and free protections on your system: at the very least have Windows Defender running and enabled. Paid antivirus products should be able to inoculate a machine against infection for this type of unevolved malware at this stage.
Cybereason researchers Amit Serper and Mike Iacovacci have claimed to have developed a way to prevent Bad Rabbit from infecting a machine. Their technique, listed step by step on the Cybereason blog, recommends a series of measures that involve tinkering with your system's permissions.
For staff at organisations that have found they've been hit, Peter Groucutt, managing director of disaster recovery experts Databarracks, recommends heading straight to crisis management, who should do their level best to isolate the malware, and locate precisely when the ransomware infection started, and take immediate operational decisions to go offline.
"Once the most recent clean data is identified you can begin a typical recovery, restoring data and testing before bringing systems back online again," he says.
Splunk's Matthias Maier, meanwhile, says best practice should see businesses taking proactive steps to monitor activity across their full IT estate, to enable them to spot irregular patterns that could be indicative of malicious actors.
"Security teams need to be able to analyse if their environment is potentially vulnerable and if they see any indicators of an infection starting, in order to take appropriate counter-measures quickly," Maier said. "For example – it appears Bad Rabbit creates three new scheduled tasks on a system, including a forced restart. By searching for this specific occurrence in monitored log data from endpoints, an organisation will be able to identify patient zero earlier, and act to isolate the impact."