Ransomware has had a banner year in 2017. WannaCry and NotPetya were able to spread easily across the globe, via exploits in protocols such as Microsoft Windows Server Message Block (SMB). These two followed in the footsteps of heavyweights like CryptoLocker and set the path for future similar threats to travel down.
Bad Rabbit hops along the trail blazed by WannaCry and NotPetya
In October 2017, one such imitator emerged. Dubbed Bad Rabbit, the threat shares some key traits with both WannaCry/NotPetya in particular and strong encryption ransomware in general:
- Like the other two major ransomware threats documented this year, it can spread through SMB vulnerabilities. However, it does not capitalize on the same specific Eternal Blue flaw they had exploited.
- Like NotPetya, it uses the open source tool Mimikatz to extract credentials from compromised machines and take them with it across the network. It also contains hardcoded usernames and passwords, including the purported “four most common passwords” from the 1995 movie “Hackers.”
- Like almost all high-profile ransomware going back decades, it scrambles data on the infected machine and demands payment for its decryption. A countdown timer further nudges the victim; after it expires, the demanded sum increases.
- Like other truly dangerous threats, its novelty helps it elude common defenses, such as traditional artificial intelligence-enabled detection. According to VirusTotal, few antivirus repositories flagged Bad Rabbit in the wake of its media exposure.
The name Bad Rabbit might stir up images of one of the characters from the 2001 film “Donnie Darko,” who wore a rabbit costume when mysteriously appearing and disappearing at key moments, seemingly out of thin air. The Bad Rabbit ransomware is similar it how it in hops onto targeted devices without much warning: Two cybersecurity vendors have confirmed that in addition to the SMB route, Bad Rabbit can also make it initial entry through a fake but legit-looking Adobe Flash Player installer.
What comes after Bad Rabbit?
At least one security researcher appears to have come up with a solution to Bad Rabbit, which so far has been largely confined to corporate networks in Eastern Europe. His technical fix was posted to Twitter not long after Bad Rabbit’s discovery. The vaccination he described involves creating several specific file names and then removing all permissions associated with them.
Bad Rabbit is best understood as an improved version of NotPetya, which itself was characterized in summer 2017 as an upgraded WannaCry. Each subsequent release has added features designed to increase the bundled ransomware’s efficacy. NotPetya innovated the Mimikatz password harvesting, while Bad Rabbit expanded the number of addressable exploits. Looking ahead, we should probably expect ransomware to keep becoming more sophisticated.
“Bad Rabbit is best understood as an improved version of NotPetya.”
Accordingly, network security teams will need a strong blend of automated and human intelligence, to stop well-known threats and guard against new and unusual ones. A security operation center (SOC) overseen by a concierge engineer provides this exact combination. Convenient SOC-as-a-Service with managed detection and response (MDR) can replace your existing Security Information and Event Management solution and reduce your overall overhead in detecting and containing risks in the mold of Bad Rabbit.
To learn more about SOC with MDR capabilities, click the banner below to get started.