There’s a new ransomware outbreak affecting users primarily located in Russia, Ukraine, Bulgaria, Turkey and Japan - and a small number of U.S. victims, including some of Russia’s banks, as BleepingComputer reported. Urkaine’s Kiev Metro and the Odessa international airport’s systems have failed, causing disruptions in service.
WeLiveSecurity has provided a comprehensive account of how this particular variant of ransomware, named Bad Rabbit and ranked as severe by Microsoft, has infected users. Cylance also provides a more technical overview. The strain is said to be a variant of Not-Petya, the rather destructive malware that spread globally back in June.
Bad Rabbit Ransomware Infection Methods
There are two observed ways of Bad Rabbit infection (though likely not the only methods):
After the user clicks Install, an executable file is downloaded on their computer, launching the ransomware and locking their machine.
SMB + Stolen Credentials
The ransomware’s executable file scans networks for open SMB shares. Then Mimikatz, a publicly available tool that targets Windows users and can be used to steal passwords extracted from memory, is launched on a compromised computer.
The malware also uses a list of pre-selected hardcoded credentials to authenticate to the host. After finding valid credentials, the ransomware file is uploaded to the Windows directory and executed through the Service Control Manager.
Protecting Against Ransomware
The US-CERT’s advisory from July provides advice for ransomware, patching and phishing, since malware can spread in a number of ways. Here’s some of their tips, plus links to a few other resources:
- Frequently back up your systems and important files on a device that can’t be accessed from a network; verify backups regularly.
- Practice caution when clicking on links in emails or opening email attachments; verify web addresses/senders independently.
- Microsoft has provided some guidelines on protecting against the malicious use of the SMB protocol, while the US-CERT’s SMB Security Best Practices refer to the mitigation of the SMB vulnerability used earlier this year
- Microsoft’s threat advisory states that Windows Defender Antivirus version 220.127.116.11 and higher detects and removes Bad Rabbit - so be sure to update your systems to the latest versions.