‘Bad Rabbit’ Ransomware Strikes in Ukraine, Russia

Oct 27, 2017:

by Rick McElroy, Security Strategist, Carbon Black

In a similar outbreak to both WannaCry and Petya from earlier this year, it appears a new strain of ransomware known as “Bad Rabbit” has been found spreading in the Ukraine, Russia and elsewhere.

Bad Rabbit encrypts the contents of a computer and asks for a payment of 0.05 bitcoins, or about $280.

As reported by multiple news outlets, the ransomware has so far affected systems at three Russian websites, an airport in Ukraine and an underground railway in the capital city, Kiev.

Rick McElroy, Security Strategist, Carbon Black

Ukraine continues to remain in the spotlight as the cyber canary in the coal mine. Russia often uses the Ukraine to test before launching global scale attacks. The net? What happens in the Ukraine does not usually stay in the Ukraine for long.

Important to note here is that “Bad Rabbit” is being spread by a fake Flash update using EternalBlue, which is the same leaked NSA exploit which aided the spread of WannaCry and Petya. EternalBlue leverages a version of Windows’ Server Message Block (SMB) networking protocol in order to laterally spread through networks. Flash continues to remain one of the top threats to an organization. It’s been a problem for virtually its whole life and it appears to becoming worse. Java is another.

Protection against the EternalBlue exploit can be fairly basic. The exploit targets servers with SMB network sharing exposed to the Internet, a feature that should be immediately considered for deactivation. Servers are targeted over the standard network ports for the SMB service, all of which can be actively disabled in an organization’s firewalls.

More importantly, these exploits have been actively resolved by current, and ongoing, patches released by Microsoft. Patches should be considered for immediate testing and release within an environment. These suggestions follow the established SMB Security Best Practices.

Ransomware continues to be a major attack vector for cyber criminals. Carbon Black research recently found that, from 2016 to 2017, there has been a 2,502% increase in the sale of ransomware on the dark web. This increase is largely due to a simple economic principle – supply and demand. Cyber criminals are increasingly seeing opportunities to enter the market and looking to make a quick buck via one of the many ransomware offerings available via illicit economies. In addition, a basic appeal of ransomware is simple: it’s turnkey. Unlike many other forms of cyberattacks, ransomware can be quickly and brainlessly deployed with a high probability of profit.