This “Bad Rabbit” is no Peter Cottontail

Virtual ArmourCybersecurity

The Story

Eastern Europe is in the midst of yet another ransomware epidemic going by the name of Bad Rabbit. Several Russian, Ukrainian, Turkish, and even German-based organizations have already experienced breaches.

The first to be hit were Russian media companies Fontanka and Interfax along with Odessa International Airport in the Ukraine.

Bad Rabbit behaves in a similar way to previous ransomware outbreaks WannaCry and Petya, whereby the malicious code encrypts the end user’s data and demands a ransom fee in exchange for their data back – this is typical ransomware behavior.

What sets this particular ransomware apart from earlier attacks this year, is its spread pattern which at this stage appears to be web-based.

The Spread

The attack begins with the user being redirected to a malware web resource from legitimate websites were the ransomware poses as an Adobe Flash update. The user is prompted to download a file named install_flash_player.exewhich needs to be manually launched by the target.

This “defanged” URL is heavily related to the Bad Rabbit outbreak:

hxxp://1dnscontrol[.]com/flash_install.php

After the ransomware executes, the user data is encrypted and the victim is directed to a .onion Tor domain, where they are requested to pay out the sum of 0.05 Bitcoin in order to retrieve their data.

If users do not cough up the payment in a timely fashion, the fee increases. It is reported that Bad Rabbit does not wipe your data unlike other instances of ransomware.

The Prevention

All is not lost! There are several preventative measures that can be implemented to help mitigate this attack.

Using Next-Gen Firewalls, an organization should enforce file blocking functionality, incorporate a strong web filtering policy and ensure that their IDP/IPS updates are enabled.

At a core level, organizations should introduce critical infrastructure segregation, whereby high-value assets are protected through the use of DMZs and vLans.

From a system scope, a Solid Group Policy is essential, particularly one that exempts non-admin user accounts being able to run executable files – especially from the appdata location. A DNS blackhole should be set up for the malicious domain. Suitable end-point protection is a must along with vulnerability scanning and, last but not least, a 3-2-1 Backup policy (i.e. having at least 3 total copies of your data, 2 of which are local but on different mediums, and at least 1 copy offsite).