Bad Rabbit, Not Not Petya. Another                                                     Ransomware Outbreak!

November 15th, 2017

If that headline makes no sense, you may not have been following CyberSecurity news closely enough! The weeks since October 24th have seen 2017’s 3rd major propagation of a piece of Ransomware, as a modified version of Not Petya, named Bad Rabbit, has spread throughout much of Europe and Asia. The major path for distribution of the malicious code looks to be via a fake Flash update, which appears as a pop-up on legitimate websites that have been compromised. This is an effective attack vector, as users will typically be far more likely to accept such a download from a previously trusted site, than in an email from an unknown sender.

Bad Rabbit appears to have been coded by fans of pop-culture, as the name is a play on Director JJ Abrams’ company Bad Robot, and the code contains the names of three dragons from the immensely popular series Game of Thrones. Taking a queue from Hollywood that they would likely complain about, Bad Rabbit appears to be largely just a reboot of Not Petya, and WannaCry; analysis by Crowdstrike has determined Bad Rabbit to be nearly 70% identical code to its predecessors.

The most interesting difference between Bad Rabbit and the two major outbreaks earlier in the year is that Bad Rabbit appears to discriminate in who it infects. Where WannaCry and NotPetya would infect any environment into which they were execute, Bad Rabbit appears to be able to determine the potential value of users who land on a distribution page, prior to launching an attack. Attacks directly distributed against several specific networks are also suspected in the spread of Bad Rabbit.

The ransomware seizes machines it can access, spreading laterally across an environment by brute-forcing password combinations, encrypts accessible data, and pops-up a familiar message demanding payment in Bitcoin for the release of company/user data. The good news is, since it was identified early, and largely familiar, most organizations have quickly released updates and patches to help block the spread of Bad Rabbit.

CIS’ advises review and deployment of any critical security updates be done regularly as a Best Practice, to ensure the latest protections. While Bad Rabbit does not utilize a known exploit like Eternal Blue, most of the victims in that attack were only exploited because they lacked current updates and patches that had already

Additional information for CIS’ Managed Services Clients who are operating Webroot and Sonicwall:

Webroot : https://community.webroot.com/t5/Announcements/Webroot-Protects-against-Bad-Rabbit/td-p/304856

SonicWALL: https://www.sonicwall.com/en-us/support/knowledge-base/171025100215963