The Threat

On October 24, 2017 eSentire reviewed reports of a new ransomware threat known as “Bad Rabbit”. Reports indicate that this ransomware is a modified version of NotPetya, and uses compromised credentials to spread laterally through the network. The list of countries affected by Bad Rabbit is still growing, with infections reported in Russia, Ukraine, Japan, Bulgaria, Germany, and Turkey.

 

What we’re doing:

  • Specific detection rules have been deployed to esNETWORKTM sensors.
  • Known file hashes have been blacklisted in esENDPOINTTM  to prevent execution.
  • Distribution sites have been blacklisted using Asset Manager Protect, via esNETWORK.

 

What you should do:

  • Disable local admin shares using Group Policy. Deny remote use of local admin credentials.
  • Avoid reusing local administrator account passwords across systems.
  • Disable or limit remote WMI and file sharing.
  • Conduct regular backups of data.
  • Limit workstation-to-workstation communication using host-based firewalls.
  • Additional prevention steps can be found in US-CERT Alert TA17-181A.

 

Additional Information

  • The ransomware dropper is distributed via a fake Adobe Flash update delivered via drive-by download attacks. The victim must manually download and execute the file with administrator privileges.
  • Bad Rabbit uses Mimikatz to extract credentials from the system and spreads via Server Message Block (SMB) and WMIC using compromised credentials or a hardcoded credential dictionary. It does not use the EternalBlue exploit (unlike NotPetya).
  • We advise that those who fall victim to a ransomware attack should not pay ransom demands, as there is no guarantee that files will be unencrypted.

 

For more information please visit:

https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/

http://blog.trendmicro.com/trendlabs-security-intelligence/bad-rabbit-ransomware-spreads-via-network-hits-ukraine-russia/

See the latest security advisories

Articles and reports written by eSentire staff and our Threat Intelligence Research Group.

Ready to get started?
We're here to help.

Get Started
Reach out to schedule a meeting and learn more about our Managed Detection and Response, Risk Advisory and Managed Prevention capabilities.