Cyber Security - Bad Rabbit

October 26th, 2017
WHAT IS BAD RABBIT?
Many organizations world wide are under the Bad Rabbit strain of ransomware that has similarities to the NoPetya attack.

 

The outbreak started Tuesday and froze computer systems in several European countries, and began spreading to the U.S., the latest in a series of attacks.

The Department of Homeland Security's Computer Emergency Readiness Team issued an alert saying it had received "multiple reports" of infections.

Russia's Interfax news agency reported on Twitter that the outbreak shut down some of its servers, forcing the agency to utilize its Facebook account to deliver news.

The outbreak appears to have started via files on hacked Russian media websites, using the popular social engineering trick of pretending to be an Adobe Flash installer. The ransomware demands a payment of 0.05 bitcoin, or about $275, from its victim, though it isn't clear whether paying the ransom unlocks a computer's files. You have just 40 hours to pay.

HOW BAD RABBIT WORKS
Bad Rabbit uses Mimikatz to extract credentials from the local computer's memory, and along with a list of hard-coded credentials, it tries to access servers and workstations on the same network via SMB (Shared folders/files) and WebDAV (.Web based document Authoring and Versioning)

The hardcoded creds are hidden inside the code and include predictable usernames such as root, guest and administrator, and passwords straight out of a worst passwords list. In addition to this, Bad Rabbit, is a so-called disk coder, similar to Petya and NotPetya. Bad Rabbit first encrypts files on the user's computer and then replaces the MBR (Master Boot Record). This effectively bricks your computer.

DON'T PAY THE RANSOM
Of course paying the ransom is a very bad idea. Cybersecurity experts have warned businesses against meeting hackers' demands for money in the wake of the "unprecedented" attack on hundreds of thousands of computer systems around the world.

Cybersecurity Experts agree that whether or not to agree to ransomware demands presented practical and ethical dilemmas.

"As a matter of principle, the answer should always be no … based on the simple dynamics of perpetuating bad conduct."

"However, as a matter of practicality and necessity, the situation is somewhat more complex."

Experts point to the Australian Telstra cybersecurity report 2017, which found that that 60% of Australian organisations had experienced at least one ransomware incident in the previous 12 months.

Of that figure, 57% paid the ransom. Nearly one in three of the organisations that paid did not recover their files.

"You really are rolling the dice if you choose to pay a ransom, and your chances aren't good," the researchers found.

The report concluded that paying the ransom was a "dubious choice" when it did not guarantee the release of the data and could have the effect of labeling businesses as "soft target", increasing their chances of being attacked again in future.

HOW TO PROTECT AGAINST RANSOMWARE

Of course the four big steps you can take are 

    1. Education - Don't be fooled by social engineering hacks
    2. Strong passwords
    3. Update software (Especially security patches)
    4. Run client based anti-virus/anti-malware/anti-ransomware like Bit Defender on all for your PCs/phones/tablets