And then there was Bad Rabbit

Just when you thought it was safe to be on the interwebz, along comes Bad Rabbit!

Propogation

“Bad Rabbit” is a new piece of ransomware similar to NotPetya. It is being observed primarily in Russia but also Ukraine and a number of other countries including Bulgaria, Turkey and even some reports in Germany.

This malware is believed to be entering the network through the execution of an installer masquerading itself as an Adobe Flash Installer package.  As part of the installation process, the malware is provided privileged access by the user, which then allows it to install its payload.

Behaviour

The behaviour is similar to NotPetya (from 26/June/2017) in that it attempts to compromise local passwords which are then used to propogate within the local network using the “EternalBlue” NSA exploit.

The Bad Rabbit malware then uses the Mimikatz tool to extract username/password credentials from affected systems.

Prevention

There are a couple of key things that can be done to avoid infection:

  1. Do not install media from an unauthorised location. If in doubt, don’t grant access, report it
  2. Ensure you are patched up-to-date for software products
  3. Ensure you have the latest anti virus updates installed
  4. If you suspect an infection of this, or any other malware, report it using existing CERT (security response) processes

One specific action that can be done is to create a new endpoint rule that blocks the execution of the following files

  • C:\Windows\infpub.dat
  • C:\Windows\cscc.dat

This will only be relevant for early prevention before antivirus updates are available to protect against this new malware.

Anti Virus Definitions

As of 25/Oct/2017 at 08:15 UTC+01:00, all major Anti Virus vendors have provided update definitions which detect Bad Rabbit. Please be sure to positively validate that you have these installed on your servers and endpoints.

More Information

There is a growing set of useful information and insights into this malware – you can read about it using the following links: