Its back, another cyber-attack makes headline in media. A new Ransomware dubbed Bad Rabbit started infecting systems early Tuesday 24 October, it had hit high profile targets in Russia, Ukraine, Germany and Turkey. By late Tuesday, it had begun spreading to the U.S., according to Czech antivirus vendor Avast Software.
The ransomware is delivered via forged Flash installer, it also checks and encrypts hard coded credentials using SMB protocol. Malware infected several news media agencies in Russia, including Inter fax news agency. In addition, a number of public transportation organizations, including the Odessa International Airport and the Kiev Metro in the Ukraine, have also been affected. There is currently no clear indication as to who is responsible for this attack.
Computer Emergency Readiness Team at Department of Homeland Security issued an alert saying it had received “multiple reports” of infections.
Here’s everything you need to know.
What is Bad Rabbit?
Bad Rabbit is a strain of “ransomware” that not only encrypts files, but also the underlying filesystem and master boot record (MBR) on victim’s computers rendering the machines unusable until a ransom is paid off.
Victims are presented with payment page including a countdown timer to pay ransom within the first 40 hours or so and to make a payment of 0.05 bitcoin — around $285, for decrypting files. Ransom note also states that the amount will increase and Victims must pay more if they don’t pay before the timer reaches zero.
How does the ransomware work?
As mentioned earlier Bad Rabbit is delivered as a drive-by attack from compromised websites. While browsing vulnerable websites, user gets a prompt stating “An Update to Adobe Flash Player is available”. Once user click on install, malware installs on machine and starts encrypting the files. It also installs its own boot loader in MBR and schedules a machine reboot. After the system reboots it displays the ransom note to the user, and the OS does not boot.It’s similar to Petya/NotPetya as its based on bootkit.
Upon execution, the file tries to gain privilege via the standard UAC prompt. After acquiring the privileges it creates a file under “C:\Windows\infpub.dat“. The file “infpub.dat” is executed using rundll32 and saves dispci.exe under C:\Windows. This file is responsible for encrypting the files and modifying the boot-loader. C:\Windows directory also has file named Readme.txt file with information on the encrypted files.
After infecting one machine in a network – one computer in an office, Bad Rabbit can find any login details stored on the machine which it uses to spread to others.
Bad Rabbit is spreading due to the use of combinations of simple username and passwords which it can exploit to brute-force its way across networks. The weak passwords consist of defaults or commonly used passwords such as “secret, test123, Admin123, password, 12345, etc”.
How you can protect yourself against ransomware?
US-CERT discourages victims/Organizations to pay the fee, as this does not guarantee that access will be restored. This will also encourage the growth of ransomware. Follow below steps to protect yourself and your organization from being infected –
- Install the latest security software patches, back up data and use antivirus software services.
- Ensure that passwords are never re-used across important accounts
- Setup Two-Factor Authentication
- Disable WMI service if possible
- Block the execution of file ‘c: \ windows \ infpub.dat, C: \ Windows \ cscc.dat.’
- Train users not to click on suspicious links
CompCiti Business Solutions, Inc. is one of the oldest and most respected Organization providing network security services in New York. Since 1996, CompCiti has helped its clients get the most from their networks and protect them from outside threats including ransomware, viruses, etc. CompCiti now has CISA certified techs, 24/7 emergency support and Level 3 technical support. CompCiti can ensure your IT systems are secure and efficient. To find out more about our Managed and security services in New York, please contact us (212) 594-4374 for a free phone consultation and to find out how CompCiti can help protect your systems from any threat, cyber or otherwise.