Organizations in Russia and Ukraine were under siege on Tuesday 24 October 2017 from Bad Rabbit, a strain of ransomware with similarities to NotPetya.
By evening, the outbreak was reportedly spreading into Europe, including Turkey and Germany. Victims reported so far include airports, train stations and news agencies.
Russia’s Interfax news agency reported on Twitter that the outbreak had felled some of its servers, forcing Interfax to rely on its Facebook account to deliver news.
Starts with social engineering
The Bad Rabbit outbreak appears to have got its start via files on hacked Russian media websites, using the popular guise of pretending to be an Adobe Flash installer.
If Bad Rabbit infects your computer, it attempts to spread across the network using a list of usernames and passwords buried inside the malware. These credentials include passwords straight out of a worst passwords list. Another reminder, if one were needed, that all your passwords need to be strong, even the ones you use behind the safety of a corporate firewall.
From there, it encrypts not only your files, adding encrypted
at the end of each filename, but also your computer’s MBR (Master Boot Record). You are then greeted with the following message and asked to submit payment via a Tor hidden service (an anonymous Dark Web website):
Oops! Your files have been encrypted. If you see this text, your files are no longer accessible. You Might have been looking for a way to recover your files. Don't waste your time. No one will be able to recover them without our decryption service. We guarantee that you can recover all your files safely. All you need to do is submit the payment and get the decryption password. Visit our web service at [redacted]
If you visit the Bad Rabbit website using the Tor Browser, you will be “invited” to pay a fee for the decryption key; at the time of writing [2017-10-25T16:45Z], the crooks were demanding XBT 0.05 (1/20th of a Bitcoin), currently about $280:
Defensive measures
Sophos currently blocks the Bad Rabbit malware as Troj/Ransom-ERK.
Additionally, Sophos Intercept X proactively prevents the malware from attacking your data: the CryptoGuard component stops the ransomware from scrambling your files, and WipeGuard prevents the low-level disk writes that modify the boot sector.
(For further information about Sophos protection, please see our Support Knowledge Base article entitled Bad Rabbit ransomware: What to do.)
Here are some general tips to raise your defenses againt this sort of outbreak:
- Ditch Flash altogether. Fake flash installers and updates only work as a social engineering tactic if you use or want Flash. By removing Flash entirely you not only protect yourself from Flash zero-day holes , but also eliminate the temptation to download fake updates.
- Patch promptly. Outbreaks such as NotPetya and WannaCry exploited a vulnerability for which patches were already available. Don’t lag behind once patches are available for known security holes – the crooks will be only too happy to take advantage.
- Remember your backups. Make them regularly, and keep a recent backup both offline and offsite, so you can access it even if your workplace ends up off limits due to fire, flood or some other cause not related to malware.
- Don’t make users into administrators. When you want to perform administrative tasks, promote yourself to an administrator account, and relinquish those privileges as soon as you can. Network-aware malware like Bad Rabbit can spread without even needing to guess passwords if you already have administrator-level access to other computers on the network.
For more information about ransomware read How to stay protected against ransomware, or listen to our Techknow podcast:
LISTEN NOW
(Audio player above not working? Download, or listen on Soundcloud.)
If you’re a home user, why not register for the free Sophos Home Premium Beta? This includes the CryptoGuard and WipeGuard features mentioned above that block the unauthorised scrambling of files and disk sectors.