The Bad Rabbit Ransomware Invasion: A Review

 In Accelerite Blog

Of the many ways in which malicious attacks are perpetrated, Ransomware has been on the rise for half a decade. The modus operandi for most ransomware is similar. The harmful code poses as a legit file and users are tricked into downloading it. This is typically known as a drive-by attack. On execution, it either encrypts all the files on the machine or threatens to publish user data, unless a ransom (usually in cryptocurrency like bitcoin) is paid. WannaCry took this to the next level by swiftly propagating without the need for user interaction; but the recent one, Bad Rabbit may have an agenda of its own.

Seemingly similar to the NotPetya ransomware (~67% code similarities reported, Bad Rabbit has one major distinction – it has shown selectivity in choosing its victims. Present as an embedded javascript in infected websites, it most likely profiles users and selects its victims based on parameters that are not yet known. Victims see a prompt on their webpage for an Adobe Flash Player update. A user-triggered download and execution of this update results in encryption of all files, and finally the boot drive. A ransom note is then displayed with a time limit of ~41 hours to pay up the required 0.05 bitcoin. Failing this, the ransom amount will increase; on paying the amount, a decryption password will be provided to decrypt all files.

Having targeted major establishments across Russia (like the media-house Interfax), parts of Ukraine (Kiev metro), Germany and Poland among others, it has propagated mainly through infected sites. But once inside a network, it can move from machine to machine without user action through a brute-force attack on username-password combinations.

Though it seems to be a targeted attack, in such scenarios there is no way to know how targets are being identified and who is next. But we can always be prepared and hence avoid becoming a target.

Sentient coupled with Radia is our unified solution for endpoint detection, management, and response that can trace through your network for potentially impacted machines and help barricade them off from the unaffected parts. This will limit the spread of any such invasions. In the same breath, administering the antidote to prevent such attacks will be doable in seconds.

Options to prevent infection like retracting execute privileges of associated dat files (infpub and cscc), or even revocation of administrator privileges to stop installation of the malicious exe can be disseminated with just a click. Multiple remediation techniques like enforcing password policies to avoid a brute-force hack, applying reduced rwx privileges to seal of access, eliminating unnecessary services from end-points, can also be easily achieved. Goes without saying that being up to date with patches for OS versions is a must, and Sentient will do that for you too.

Whether it be remediation or prevention, with a unified End-point detection and management solution like Sentient, you will not only be protected, but also ready to counter any such attacks with the fastest turnaround time.

Recommended Posts

Leave a Comment

Start typing and press Enter to search