Understanding the Threat: Bad Rabbit Ransomware Spreads Worldwide

The United State Computer Emergency Readiness Team (US-CERT) is warning of a new ransomware campaign called Bad Rabbit, which appears to be a variant of the Petya ransomware that was first detected in early 2016.

“US-CERT discourages individuals and organizations from paying the ransom, as this does not guarantee that access will be restored,” US-CERT stated in an alert. “Using unpatched and unsupported software may increase the risk of proliferation of cyber security threats, such as ransomware.”

The leading targets appear to be in Ukraine and Russia — CNN reports that victims include the Russian media groups Interfax and Fontanka, the Kiev Metro, Odessa International Airport and Ukraine’s Ministry of Infrastructure. Interfax confirmed on Twitter that it was impacted by the attacks.

Still, other countries are being hit as well — according to ESET, while Russia accounts for 65 percent of infections and Ukraine accounts for 12.2 percent, Bulgaria accounts for 10.2 percent of infections, Turkey for 6.4 percent, and Japan for 3.8 percent.

A recent Avast blog post includes a global map of Bad Rabbit infections.

Spreading Globally

Sophos researchers report that Bad Rabbit is being distributed via compromised media websites displaying fake Adobe Flash install prompts.

“Once it infects a computer, the ransomware attempts to move laterally using a list of hardcoded credentials, featuring predictable user names such as root, guest and administrator, and passwords straight out of a worst passwords list,” Sophos’ Bill Brenner wrote. “Another reminder, if one were needed, that all of your passwords need to be strong, even the ones you use behind the safety of a corporate firewall.”

STEALTHbits Technologies vice president of product strategy Gabriel Gumbs told eSecurity Planet by email that unlike most ransomware, Bad Rabbit also uses the open source tool Mimikatz to harvest credentials.

“This could simply be to widen its reach internally for the purpose of further encrypting the files of users with elevated privileges, it may be used to hide inside compromised networks, or the ransom itself could be a decoy from the attack’s real purpose,” Gumbs said. “What we can definitively say today is the only reason you would package Mimikatz with ransomware is for the purpose of further exploiting internal networks — not simply to ransom files.”

It’s not clear at this point whether Bad Rabbit is actually functioning ransomware or, like the recent NotPetya attacks, it’s simply a wiper posing as ransomware.

Regardless, VASCO Data Security CISO Christian Vezina said, it’s important to keep in mind that Bad Rabbit uses social engineering tactics to spread. “By teaching your users not to simply click on any link that is presented to them, you may be able to limit your exposure,” he said.

David Zahn, general manager of the cybersecurity business unit at PAS, said Bad Rabbit presents a particularly serious threat to critical infrastructure. “The engineers who manage the industrial control systems that are at the heart of critical infrastructure — namely power generation, oil and gas, and more — are chiefly concerned with maintaining reliability and process safety,” he said. “Ransomware presents a particular risk to both as encrypted systems in a facility can mean loss of view into volatile processes or production disruptions.”

A Recurring Threat

Forty-six percent of enterprises experienced a ransomware attack in the past 12 months, according to a recent survey of 300 IT professionals by Cylance and the Enterprise Strategy Group.

In 56 percent of cases, more than five percent of the company’s endpoints were impacted.

“Nearly a quarter of research participants whose organizations have been recent ransomware victims stated that they experienced a recurrence of the same ransomware on the same endpoints, and 38 percent experienced the same ransomware but on different endpoints,” the report states.

Still, just 12 percent of respondents said they paid the ransom.

One quarter of respondents said ransomware is the most frequent threat type they’ve faced over the past two years, and 23 percent said it’s the most difficult to detect.

Thirty-eight percent said ransomware poses the greatest risk to their organization’s endpoints.

“Damages from ransomware extend far beyond loss of the data itself, and in extreme cases such as health care providers, ransomware can delay or even prevent providing patient care,” the report states.

Jeff Goldman
Jeff Goldman has been a technology journalist for more than 20 years and an eSecurity Planet contributor since 2009.

Top Products

Related articles