Security Central: Bad Rabbit's Tricks Are Not For Kids

Security Central: Bad Rabbit’s Tricks Are Not For Kids

Written by Allison Francis
November 3, 2017

This week’s Security Central takes a peek inside the new wave of ransomware called "Bad Rabbit" that is spreading across eastern Europe. The unknown hackers behind the attack are locking up victims' data and demanding ransoms to be paid in bitcoin.

First of all, happy November everyone! Hard to believe that we’re nearly done with 2017 – the “year of ransomware” as some are depressingly calling it. Last Tuesday, a new ransomware bug dubbed ‘Bad Rabbit’ hippity hopped across Russia, Ukraine, Turkey, Germany, Bulgaria, the United States, and Japan. It’s your average, good ol’ file cryptor that will make a user’s personal files unreadable and will force them to pay a ransom for decrypting them. Good stuff.

The ransomware is the third major spread of malware this year (seriously, 2017… yeesh). It follows in the footsteps of the destructive WannaCry and NotPetya strains of malicious code. Here’s what we know about this wasically wabbit so far:

Uses pieces of code from NonPetya/ExPetr
Distributed as fake Flash update requiring manual installation by a user
Uses system driver for encryption
Tries to distribute itself via local network in a primitive way
Replaces MBR and makes PC unusable
Crashed on Windows 10
Mainly affected Windows corporate users

^{* Source: ITProPortal}

A bit more in-depth, there appeared to be two primary observed ways of Bad Rabbit infection: drive-by download and SMB + stolen credentials. For the drive-by method, JavaScript was injected into the HTML or .js files of popular websites. When a user visits the site, the server loads content into the page and displays a popup that instructs users to download a Flash Player update. If the unsuspecting user clicks ‘Install’, an executable file is downloaded on their computer, launching the ransomware and holding their computer hostage.

SMB + stolen credentials means that the ransomware’s executable file scans networks for open SMB shares. Then Mimikatz, a publicly available tool specifically for Windows users that can be used to steal passwords extracted from memory, is launched on a compromised computer. The malware also uses a list of hardcoded credentials to authenticate to the host. After locating said credentials, the ransomware file is launched into the Windows directory and executed through the Service Control Manager.

“The Bad Rabbit ransomware attack masking itself as a seemingly harmless Adobe Flash update is a classic case of suspicious content employees can fall victim to,” a spokesperson with cloud business applications provider Intermedia told Channel Futures. “Think of how many times you come across a software update on your computer, or a pop-up in a browser, and just click ‘yes’ without hesitation – that’s what hackers look for when designing these types of viruses, especially when targeting corporate networks.”

Ransomware is bad enough when it gets inside the networks of corporations that have the financial resources to throw personnel and after-the-fact emergency security protocol at it. But for SMBs that may not have the resources, tools or training that larger organizations use to recognize, prevent and protect from such attacks, it can mean the end is nigh. The experts Channel Futures speak to tell us time and again that it just takes one: one slip that gives one hacker access to one terminal, then it’s game over. So what happens if a ransomware attack hits a business that can’t–but somehow, must–afford to pay?

Looking back over the year, 2017 is littered with attacks of every kind, ranging in severity but hitting hard no matter the case or type. The big guys that reared their ugly heads this year, namely WannaCry and Petya, made it painfully clear just how much of a problem ransomware has become. The introduction of Bad Rabbit shows it even further – that malware writers are still out there, alive and well, working on new versions. What’s more, people are still falling for it, as though it’s the first time they’ve ever heard of such a thing. Like children, they’re astonished every time carelessness carries consequences.

So yes, 2017 has been a doozy. But quite frankly, the worst is probably yet to come. There are zillions of theories on what moves attackers may come up with next, but the overarching theme is clear – our defenses are not keeping pace with the sophistication of cyberattacks. Like, at all.

As solution providers, you know all of the elements that go into creating a solid line of defense against hackers. You need firewalls, threat intelligence, quarantines, password and file encryption, backup and recovery, and dozens of other specific pieces that together form a comprehensive solution.

But the real problem these continued ransomware attacks highlight isn’t that organizations lack some critical piece of technology that, if implemented, would magick away all their cybersecurity troubles. The problem is that people are still clicking on that damn Install button, or weird link in an email, or what have you. Until people learn how to ‘adult’ online, hackers are going to keep gleefully gaining entry to networks and wreaking mischief with your clients’ information.

At the end of the day, with all their deep technical skills, vertical expertise, and hard-earned wisdom, will MSSP’s biggest value-add be playing babysitter?