Cynet Stopped Bad Rabbit: Blog Part 1
What is being labeled as ransomware makes an appearance again, the latest in 2017’s saga of attacks focused on corporate entities – with an emphasis on Eastern European global media bodies. Bad Rabbit hit the news yesterday, October 24, when large-scale organizations in Russia and the Ukraine reported hits. It then spread through Europe to Germany, Poland, Turkey and Japan, among other countries. There were also reported isolated attacks in the United States, and the Department of Homeland Security’s US-CERT issued a review of previous Petya-related alerts.
Among customers using the Cynet 360 platform, the attack was identified in-the-wild within the network of a leading multinational organization by Cynet’s Advanced Detection Technology (ADT). Cynet’s ADT provides customers with protection against attacks gaining RAW access to the hard disk, including writing to the MBR. In the case of Bad Rabbit, the Cynet 360 platform blocked the attack without IOCs and without having any samples of the malware.
Video: Cynet detection of Bad Rabbit
The Bad Rabbit attack spreads by way of an infected “Flash update installer,” and has similarities to the previous WannaCry and NotPetya / ExPetr ransomware attacks. Once machine zero has been infected, Bad Rabbit searches the endpoint for additional login credentials by using MimiKatz. Bad Rabbit then attempts to spread to other endpoints in the network while utilizing those login credentials, encrypting Windows Office and other related files, and referring the user to a Petya/Not-Petya reminiscent ransom note demanding apx $275 (.05 in Bitcoin) and a clock counting down from 41-hours. As with all ransomware, there is no promise that files are actually released upon payment, and victims are advised not to pay the ransom.
Image: Initiating system reboot using the shutdown command with the following params: shutdown.exe /r /t 0 /f
Attacks like Bad Rabbit serve to emphasize the importance of implementing a comprehensive security platform like Cynet 360. Protection and detection across the internal network are integral to doing business. Cynet’s Advanced Detection Technology provides full visibility, stopping attacks like Bad Rabbit, WanaCry Petya/Not-Petya, and other ransomware attacks in their tracks, before assets are compromised.