Advisory Note: Bad Rabbit Ransomware

The latest malware threat Bad Rabbit appears to be a Petya/NotPetya variant sharing approximately 67% of its code with known Petya DLL’s.  At the moment, it seems to be primarily targeting organizations in Russia and Eastern Europe but could easily spread.  The malware encrypts files and replaces the MBR (Master Boot Record) of the device infected effectively disabling the device.  The user is then presented with the option to pay a ransom of 0.05 Bitcoin (about US$275) to decrypt the device.  There is no evidence yet whether or not paying the ransom actually decrypts the device.

Bad Rabbit masquerades as an Adobe Flash update, tricking the end user to install it.  This can be delivered via a compromised website accessed by the user or an email attachment.  Once a device is infected it also attempts to spread across the local network via SMB protocol using a dictionary of common/weak credentials.  This differs from variants like WannaCry because it does not take advantage of an exploit which can be patched, but rather weak username and password combinations.

Our Managed Antivirus has already released definition updates for known Bad Rabbit variants.  It will be detected by MAV as Gen:Heur.Ransom.BadRabbit.1 and Gen:Variant.Ransom.BadRabbit.1.  Some websites are reporting that creating two files named infpub.dat and cscc.dat in the C:\Windows directory and removing all rights, including execution, to those files “vaccinates” the device against Bad Rabbit but this is not verified.

MSPs and MSSPs should be aware that there seems to a specific targeting of infrastructure and media organizations but could affect any users.  Due to the nature of MBR replacement disabling access to the device, critical systems should be backed up in a manner that will facilitate a full system or bare metal restore to speed recovery in situations where decryption may not be possible.

This entry was posted in N-sight. Bookmark the permalink.