This article is part of our Essential Guide: Containing ransomware outbreaks now a top infosec priority

Bad Rabbit malware raises fears of third global ransomware attack

A ransomware attack that has commonalities with WannaCry NotPeya is reportedly hitting organisations in Russia, Ukraine, Turkey, Bulgaria and Germany

Five months after the WannaCry and four months after the NotPetya global attacks, a new variant dubbed Bad Rabbit has reportedly hit almost 200 targets, including media organisations, an airport and an underground railway.

Most attacks to date have been reported in Russia, where Bad Rabbit is encrypting computers and demanding 0.05 bitcoins, equivalent to £210 or $277, raising fears of a third global ransomware attack. 

Just as NotPetya spread by hijacking the updating mechanism of the MeDoc Ukrainian accounting software, Bad Rabbit appears to be spreading through a bogus Adobe Flash update, according to security firm Eset.

Russian security firm Kaspersky Lab reports that the attack does not use exploits, but is a drive-by attack, meaning victims download a fake Adobe Flash installer from infected websites and manually launch the .exe file, infecting themselves. 

Bad Rabbit appears to be a targeted attack against corporate networks, said Kaspersky Lab, using methods similar to those used in the ExPetr (also known as NotPetya) attack.

Like WannaCry and NotPetya, Bad Rabbit appears to be mainly aimed at causing disruption and is reportedly using the Microsoft Windows server message block (SMB) protocol, but in a different way, and uses an algorithm very similar to one found in the NotPetya code.

However, Bad Rabbit does not use the EternalBlue exploit, according to Allan Liska, senior solutions architect at Recorded Future.

“Instead it relies on local password dumps, as well as a list of common passwords, to attempt to move from one machine to another, trying to spread through the network,” he said.

Liska said the Bad Rabbit code is much more refined than what we saw with WannaCry and NotPetya. “It seems to have been well-tested, though it does rely heavily on a lot of command line script. Bad Rabbit uses a traditional payment portal for the ransom instead of asking victims to send an email,” he said.

Read more about ransomware

The attackers are also using exploits of WebDAV, the Web Distributed Authoring and Versioning extensions to the Hypertext Transfer Protocol (HTTP) that allow for collaborative editing between users across a network, according to Forbes.

Security firm Eset said the Mimikatz tool, used by NotPetya, is being used by Bad Rabbit to steal passwords from the affected systems to allow attackers to move around victim networks.

However, Kaspersky Lab said it cannot confirm whether Bad Rabbit is related to NotPetya, and that investigations were ongoing. The security firm said it is still unclear whether it is possible to get back files encrypted by Bad Rabbit either by paying the ransom or by using some glitch in the ransomware code.

A countdown on the payment site shows the amount of time before the ransom price goes up, but Kaspersky Lab and other commentators are advising against paying the ransom as there is no guarantee that the encrypted data will be recovered.

Affected organisations include Ukraine’s Odessa International Airport, which reported that its information system had stopped functioning, Russia’s Interfax news agency, the Fontanka news site in St Petersburg, the Kiev Metro service, and Ukraine’s finance and infrastructure departments.

Suggested steps to prevent being infected by Bad Rabbit

Cybereason reseacher Amit Serper claims to have developed a vaccine to prevent Bad Rabbit malware from infecting machines.

Serper and colleague Mike Iacovacci suggest taking the following measures to prevent getting infected by Bad Rabbit:

  • First, create these two files: c:\windows\infpub.dat and c:\windows\cscc.dat by starting cmd.exe as an admin and typing the following commands: echo “” > c:\windows\cscc.dat&&echo “” > c:\windows\infpub.dat
  • Next, remove all their permissions by right clicking each file and selecting Properties, then select the Security tab. 
  • Now click Advanced, and on the Permission tab, click the Change Permissions button.
  • Then, uncheck the “Include inheritable permissions from this object’s parents” box.
  • After you do that, a window will pop up. Click the Remove button.
  • Remember to perform this action for the two files you created.

If you are running Windows 10, repeat the same steps but instead of unchecking the inheritance box, click the “disable inheritance button” and then select “Remove all inherited permissions from this object”.

Carl Leonard, principal analyst at Forcepoint, said the Bad Rabbit attack appears to be one of the biggest attacks since the NotPetya cyber attack in June 2017 that first hit Ukraine and spread around the world.

“In October of 2016, Forcepoint Security Labs warned of the perils of rogue software updates being delivered by automated software update mechanisms in our Freeman report,” he said.

“We will continue to see massive attacks with economic, employee and public safety ramifications. And the methods will continue to evolve, including the evasive methods to hide their activity as well as their true intent. 

“The trick will be to better understand the human points in these attacks. The intent or motivations of the attackers can range broadly including financial gain, revenge, political or hacktivism. Understanding these intentions can help shape our security strategies.

“But it is even more important to understand the human point we call the ‘user.’ How do they interact with the internet, and with various applications? What privileges do they need, and how do they use the privileges they have? 

“This is a key part of how researchers predict future shifts in the threat landscape. Understanding your organisation’s ‘human point’ can produce more effective security strategies,” he said.

Read more on Hackers and cybercrime prevention