Subscribe

BadRabbit ransomware attackers pull back

Admire Moyo
By Admire Moyo, ITWeb's news editor.
Johannesburg, 26 Oct 2017
Following WannaCry and Petya, BadRabbit is the latest strain of ransomware.
Following WannaCry and Petya, BadRabbit is the latest strain of ransomware.

The attackers behind BadRabbit - new ransomware that hit Russia and other countries this week - seem to be pulling back.

This is according to cyber security firm FireEye, which says it identified and prevented these attacks from the start of this campaign, concluding that attackers pulling back from the attack.

Following in the footsteps of WannaCry and Petya, BadRabbit is the latest strain of ransomware to create havoc in several countries across the world. The attack is causing computer systems in Russia and around Europe to grind to a halt.

A message will pop up on users' screens telling them their computer had been locked and they must pay 0.05 Bitcoin to regain access. However, there is no confirmation that paying the ransom will result in a decryption key being provided.

A decryption site at the .onion (Tor) domain displays the time that victims have left before the price goes up.

Rogue Flash Update

Nick Carr, senior manager for detection and analysis at FireEye, says: "Around 2017-10-24 at 08:00:00 UTC, FireEye began to detect and block attempts to infect multiple clients with a drive-by download masquerading as a Flash Update (install_flash_player.exe), hosted on attacker infrastructure 1dnscontrol[.]com.

"The infection attempts were referred from multiple sites simultaneously, indicating a widespread strategic Web compromise campaign. FireEye has observed this malicious JavaScript framework in use since at least February 2017, including its usage on several of the sites from today's attacks."

Carr explains that the framework acts as a "profiler" that gathers information from those viewing the compromised pages - including host and IP address info, browser info and referring site cookie. Malicious profilers allow attackers to obtain more information about potential victims before deploying payloads (in this case, the BADRABBIT dropper "flash update").

"FireEye network devices blocked infection attempts at multiple victims globally until around 2017-10-24 15:00:00 UTC when the infection attempts ceased and attacker infrastructure - both 1dnscontrol[.]com and monitored sites containing the rogue code - were taken offline. The use of strategic Web compromises and profilers provide guardrails that allow attackers to select targets carefully and halt operations quickly," Carr adds.

According to Kaspersky Lab, the BadRabbit infections stopped on Tuesday. Symantec also reported "the vast majority of infection attempts" occurred in the first two hours after BadRabbit appeared.

Initial analysis

Following the attacks, Martin Walshaw, senior systems engineer for F5 Networks, comments that the BadRabbit infection is not captured by most common anti-virus solutions, which means users could be infected without knowing.

"Initial analysis indicates the malware script identifies target users and presents them with a bogus Adobe Flash update prompt. When the user accepts this, malware is downloaded and the encryption attack takes place. In the absence of stringent controls and appropriate security solutions, businesses are left in the hands of their users," he says.

According to Walshaw, as with many aspects of information security, prevention is better than cure. He points out though that, unfortunately, there is no silver bullet to protect against this type of attack.

"The best methods currently available include reliable backups hosted outside of the network and maintaining an up-to-date response plan. In addition, organisations need systems such as SSL to inspect devices."

For Claude Schuck, regional manager for Africa at Veeam, it was only a matter of time before a new strain of ransomware was revealed.

"We continue to see this lucrative business of ransomware wreak havoc, as the perfect storm of poor maintenance of updates, weak security measures, employee and user errors of judgement, and pseudonymous crypto-currencies exists.

"Businesses shouldn't strive to make themselves hack-proof - it's an impossible state to achieve due to the ever-evolving threats. Rather, updates should be maintained, processes to support IT securities policies adhered to, and robust IT defences in place - plus, backups located off the live IT network should be a key part of your data management strategy. We have seen so many businesses overcome ransomware attacks, by being able to backup from a high-quality copy of data located off-site."

Ransomware season

With the emergence of BadRabbit, Steven Malone, director of product management at Mimecast, says the ransomware season is open.

"Initial analysis shows this to be another variant of ExPetr/Petya, the malware that affected businesses globally just a few months ago and which uses the same SME flaws to spread laterally once inside a network."

Cyber security firm Sophos notes it was only a matter of time before someone took the ideas from WannaCry and NotPetya and ran with them for another go at unsuspecting victims.

It points out that what makes the BadRabbit malware more dangerous than typical ransomware being distributed in a similar manner is its ability to spread across an organisation as a worm and not just through e-mail attachments or vulnerable Web plugins.

Share