There’s a BadRabbit in town, and it’s slamming European media outlets, as well as transportation and government organizations in the Ukraine and Russia. Some reports have also seen detections of its files on computers in western countries, but no infections have been reported – yet. It’s the latest in the ongoing onslaught of ransomware attacks that are increasingly becoming the tool of choice for cybercriminals.
Although it seems that every year, new forms of malware emerge to plague us, ransomware is becoming a standard. It’s a relatively easy attack to initiate, people fall for it, and for less ambitious crooks, it’s even offered as a service by enterprising criminals.
But wait, you’re probably saying, didn’t we talk about this recently?
You’re right, we did, but since then the landscape has shifted yet again.
Now ransomware and other forms of attack are being used to distract IT staff while other mischief is occurring on their networks. For example, there’s nothing like ransomware, or for that matter a vigorous denial of service attack like those from the Mirai botnet, in which a company is bombarded with meaningless network traffic (usually from compromised devices), preventing legitimate business traffic from getting through, to conceal the fact that hackers have just quietly stolen business-critical data. By the time the real purpose of the assault is detected, if it ever is, the damage is done.
The naughty bunny du jour, BadRabbit, is loosely related to last summer’s WannaCry and NotPetya – and yes, there are still enough unpatched machines out there that it can still be effective. Apparently people never learn. However, unlike WannaCry, whose goal was destruction, BadRabbit appears to be legitimate (so to speak) ransomware, which initially demands about 0.5 Bitcoins for the decryption keys; the decryption site displays a countdown clock showing the time remaining until the price goes up. Researchers at McAfee have released a description of the malware and what it does, as well as a list of the file types that BadRabbit encrypts, which includes everything from zip files to Microsoft Office documents. Other researchers have discovered that the malware uses a legitimate encryption program, DiskCryptor, to do its dirty work.
But they are also finding that it is a blended attack. WannaCry may have emulated ransomware, but it also exhibits worm-like qualities. So does BadRabbit; according to researchers at security firm ESET, it contains a set of user names and passwords that it uses to spread across its victims’ networks in search of more machines to compromise.
Threatpost says that to get infected, initial victims were served a drive-by download on compromised sites that asked them to install what was billed as a Flash Player update (Hint: only install Flash updates from the Adobe site, and type in the URL yourself!). Obviously, it was nothing of the kind, instead beginning the process that ultimately encrypted the victim’s hard drive and demanded ransom.
US-CERT (the United States Computer Emergency Readiness Team) has published several advisories about ransomware, and recommends against paying the ransom, since it only enriches the attackers with no guarantee that a decryption key will be forthcoming. Instead, its advice is to properly secure systems to make it as hard as possible for the bad guys to get in to begin with. Exercise basic cyber-hygiene, doing things such as:
- Ensure you have fully patched your systems, and confirm that you have applied Microsoft’s patch for the MS17-010 SMB vulnerability dated March 14, 2017.
- Conduct regular backups of data and test your backups regularly as part of a comprehensive disaster recovery plan.
- Ensure anti-virus and anti-malware solutions are set to automatically conduct regular scans.
- Manage the use of privileged (eg – administrator) accounts. Implement the principle of least privilege. Do not assign administrative access to users unless absolutely needed. Those with a need for administrator accounts should only use them when necessary.
- Configure access controls, including file, directory, and network share permissions with the principle of least privilege in mind. If a user only needs to read specific files, they should not have write access to those files, directories, or shares.
- Secure use of WMI (Windows Management Instrumentation) by authorizing WMI users and setting permissions.
- Use host-based firewalls and block workstation-to-workstation communications to limit unnecessary lateral communications.
- Disable or limit remote WMI and file sharing.
- Block remote execution through PSEXEC.
- Segregate networks and functions.
- Harden network devices and secure access to infrastructure devices.
- Perform out-of-band network management.
- Validate integrity of hardware and software.
- Disable SMBv1 and block all versions of SMB at the network boundary by blocking TCP port 445 with related protocols on UDP ports 137-138 and TCP port 139; this applies to all boundary devices. (Though note that disabling or blocking SMB may create problems by obstructing access to shared files, data, or devices. Weigh the benefits of mitigation against potential disruptions to users.)
Security companies are not sitting still either. Their latest weapon against ransomware and other attacks is the oh-so trendy technology of artificial intelligence (AI) and machine learning (ML). In most cases, however, they’re not turning AI loose to run amuck. Instead, they’re creating human-machine partnerships, where each component does what it’s best at. The computers look for and correlate patterns, the humans make sense of them.
It’s a two-edged sword, though. We may be using AI and machine learning to detect what the bad guys are up to, but the bad guys are using it to figure out what the defenders’ tactics will be.
McAfee is also adding a new weapon to the defender’s arsenal: McAfee Ransomware Recover (Mr2), a free framework announced at its recent MPOWER conference. It comes with instructions as well as additional resources on ransomware and a link to the NoMoreRansom site run by a consortium of law enforcement agencies and security firms to educate the public and to provide tools to help victims recover without paying ransom.
On a more basic level, Microsoft has introduced a new feature into Windows 10 Fall Creators Update: Controlled Folder Access. Part of Windows Defender, it only allows authorized applications to access files in specified folders.
What else can we do to keep BadRabbit and other malicious software at bay? Well, aside from the technology work suggested by CERT, we could try to get people to stop and think before they click. We train our kids to look both ways before crossing the street – we need to work on training ourselves to exercise similar caution in the cyber world.
