Bad Rabbit Ransomware

CERT-LatestNews ThreatsStrategic

News has just broken a new wave of ransomware has hit several targets in Russia and Eastern Europe on Tuesday, according to media reports and several security companies. The malware, dubbed Bad Rabbit, has hit three Russian media outlets, including the news agency Interfax, according to Russian security firm Group-IB. Once it infects a computer, Bad Rabbit displays a message in red letters on a black background, an aesthetic used in the massive NotPetya ransomware outbreak. A Group-IB spokesperson said that a “new mass cyberattack” Bad Rabbit has targeted Russian media companies Interfax and Fontanka, as well as targets in Ukraine such as the airport of Odessa, the Kiev subway, and the Ministry of Infrastructure of Ukraine. IT security experts commented below.

Chris Doman, Security Researcher at AlienVault:

“This wouldn’t be the first time that an airport in Ukraine suffered a destructive cyber-attack and we are currently investigating to determine the strength of the links to the NotPetya attacks. There are reports that the mechanism involves using the tool Mimikatz to steal passwords to spread in a worm-like fashion but so far the damage does not seem as wide spread as WannaCry or NotPetya.”



...Manoj Asnani, VP Product and Design at Balbix:

“For organizations to effectively defend against attacks like Bad Rabbit, they need to have instant visibility into which of their assets are susceptible to the attack. On-tap visibility is very hard to achieve manually. Security teams must have automated systems in place that can continuously monitor these type of attack vectors and provide vital information instantly when needed. Organizations without automation in place are at a huge defensive disadvantage against fast spreading malware like this.”

Vyacheslav Zakorzhevsky, Head of Anti-Malware Research Team at Kaspersky Lab:

 “According to our data, most of the victims targeted by these attacks are located in Russia. We have also seen similar but fewer attacks in Ukraine, Turkey and Germany. This ransomware infects devices through a number of hacked Russian media websites. Based on our investigation, this has been a targeted attack against corporate networks, using methods similar to those used during the ExPetr attack. However we cannot confirm it is related to ExPetr. We continue our investigation.

Kaspersky Lab’s products detect the attack with the following verdicts: UDS:DangerousObject.Multi.Generic (detected by Kaspersky Security Network) and PDM:Trojan.Win32.Generic (detected by System Watcher).

We recommend that our corporate customers make sure that all protection mechanisms are activated as recommended; and that KSN and System Watcher components (which are enabled by default) are not disabled. To those companies that are not using our security solutions we recommend that they restrict execution of files with the paths c:\windows\infpub.dat and C:\Windows\cscc.dat using the System Administrator’s instruments.

Rich Campagna, CEO at Bitglass:

“The danger in new ransomware variants is the potential for spread to vulnerable devices. Where endpoints are not yet updated to detect these zero-day attacks, cloud app threat protection can serve as an organization’s first line of defense. As ransomware evolves and becomes more potent, the ability to identify malware in the cloud based on the characteristics of a file as opposed to hash or signature-based scans can prove critical.”