Bad Rabbit outbreak; impact and mitigation

In the early evening Central European Time, reports began to emerge about a Petya variant dubbed Bad Rabbit, spreading from Russia, Ukraine, Turkey and Bulgaria. Later that evening from our Cyber Defense Center saw infections spreading through western Europe, particularly Belgium and tentatively Sweden. It’s reported Bad Rabbit has infected networks in the US too.

Afbeeldingsresultaat voor badrabbit

Bad Rabbit is an evolution on (Not)Petya crypto ransomware. It has some key differences;

  • It doesn’t use the EternalBlue SMB vulnerability
  • It uses a pretty straightforward drive by “flash update” to infect machines. In other words, they rely on tricking the user.
  • It uses a crude hardcoded password system for “lateral movement”.
  • They put more effort in the payment and returning private keys processes, using a TOR website. This indicates, in contrast with NotPetya, these people are more serious about making money out of Bad Rabbit.

We will closely monitor impact and share updates over the day. Our Cyber Defense Center customers will get new information as it comes in.

How to mitigate

  • Most AVs have updated signatures that detect Bad Rabbit.
  • Furthermore, as long as you don’t run with administrator privileges, you should be ok. Researchers report they haven’t found any UAC bypassing techniques.
  • Another researcher has found a “vaccination” for Bad Rabbit: creating 2 files (c:\windows\infpub.dat and c:\windows\cscc.dat)¬†and removing all permissions stops Bad Rabbit in its track. We have tried this method and can confirm it works.

Further reading:

Contact

Do you want more information about this topic? Please contact us.