Dubbed Bad Rabbit, this latest ransomware has affected a number of high profile targets across Russia and Ukraine, with detection of the malware also being reported in Germany, Turkey, Poland and South Korea. It is thought that there have been almost 200 infected targets so far.
There are many similarities between Bad Rabbit and an earlier cyber-attack named Petya. Both of these use a similar ransom note telling victims that their files have been encrypted and are unable to be accessed without the key, which is provided after paying a ransom of 0.05 bitcoin (£250 approx.). If the sum isn’t paid within the first 40 hours, this amount increases.
Reports have suggested that the two outbreaks are more closely related than having similar ransom notes, and could even be the work of the same threat actor. Analysis by researchers at Crowdstrike have found that Bad Rabbit and Petya’s DLL (Dynamic Link Library) share 67% of the same code.
It is still unknown who is distributing the malware and taking the payments, as the authorities have not caught the perpetrators. Even though the code is similar to Petya, it is not known if it is the same criminal or group of criminals behind this fraudulent scheme. Whoever it is, they seem to be a fan of Game of Thrones as the names of the three dragons from the TV series and novels are referenced in the code.
The initial infection method is a typical example of social engineering. It begins by users downloading malware that is disguised as fake Adobe Flash Player updates from hacked websites. These websites are compromised by having JavaScript injected into the HTML or files.
Bad Rabbit has a component that means if one person in an organisation clicks the fake Adobe link and becomes infected, it can potentially move to every other computer or server on the network and lock data on all of them. As the ransom is 0.05 bitcoin per device, many businesses risk significant financial losses.
The risk of the infection spreading across the network is further supported by a component of Bad Rabbit that ‘guesses’ commonly used usernames and passwords to try and get access to other systems. It is very important that organisations adhere to a password policy that forces complicated passwords to be used – no using “Password123”!
The good news is that there are things that you can do to protect yourself from Bad Rabbit.
- DO NOT follow any prompts from websites asking you to install things and make sure your employees and colleagues know about the risks too
- Limit local admin rights so people are unable to install software without consent
- Educate your employees and colleagues about cyber security and the potential for social engineering attacks
If Eventura are your Managed IT Services provider, we have checked with our partners to ensure our products can help to keep you protected. These include: AMA web protection, Bit Defender and SonicWALL Gateway antivirus, which have confirmed that these product defend against Bad Rabbit.
Eventura’s email protection partner, Mimecast, announced that they are continuing to monitor the threat, but at this time they are not aware of any instances in which the attack was spread by email.
For more information about how Eventura can help you defend your business from cyber-attacks, get in touch.
As with most cyber security threats though, education and awareness is key.
