CISOs are holding their breath and hoping that the latest ransomware strain being detected in Eastern Europe and Russia isn’t the beginning of a widespread campaign.
The strain, dubbed Bad Rabbit, masquerades as an Adobe Flash update. So far the main way devices are infected is through a drive-by attack — that is by visiting a corrupted Web site whose HTML code or a .js file has been infected with JavaScript. These Web sites were in Russia, Bulgaria and Turkey. Victims were then redirected to a site that downloads the malware.
Since reports on the attack were raised Tuesday that site has been taken down. It apparently was live for only six hours.
Once inside a network Bad Rabbit spreads by collecting user credentials with the Mimikatz tool as well as using hard coded credentials, says Palo Alto Networks and Cisco Systems Talos threat intelligence service, for spreading across the network. Included is a list of common weak passwords (god, sex, secret. love, 123456, Admin123 etc.) the malware uses for testing logins.
According to Eset, victims include several transportation organizations in Ukraine and as well as some governmental organizations.
Bad Rabbbit appears to have some similarities to Nyetya, says Cisco Systems’ Talos threat intelligence blog, “in that it is also based on Petya ransomware. Major portions of the code appear to have been rewritten. The distribution does not appear to have the sophistication of the supply chain attacks we have seen recently.
The malware modifies the Master Boot Record (MBR) of the infected system’s hard drive to redirect the boot process into the malware authors code, which then displays the ransom note after a system reboot.
This is yet another example of how effective ransomware can be delivered leveraging secondary propagation methods such as Windows SMB (server message block) to proliferate, says Talos. “In this example the initial vector wasn’t a sophisticated supply chain attack. Instead it was a basic drive-by-download leveraging compromised websites. This is quickly becoming the new normal for the threat landscape: Threats spreading quickly, for a short window, to inflict maximum damage.”
This threat also amplifies the importance of educating anyone who uses an Internet-connected device, adds Talos. “In this attack the user needs to facilitate the initial infection. If a user doesn’t help the process along by installing the Flash update it would be benign and not wreak the devastation it has across the region. Once a user facilitates the initial infection the malware leverages existing methods, such as SMB, to propagate around the network without user interaction.”
Several vendors including Cisco, Paolo Alto Networks, Eset and others said their software quickly created rules, including blacklisting the distribution Web site, and protects against this particular exploit.
At this time there isn’t a known fix for machines that have been infected. Palo Alto Networks notes that multi-factor authentication (MFA) can stop the usage of valid credentials, which were potentially leveraged to infect additional systems across the network.
And, of course, the best defence against ransomware is off-site backup … and a practiced re-installation procedure.