Bad Rabbit – Yet Another Petya Variant

Bad Rabbit

The chain of malware attacks isn’t letting up any time soon. Just this past Tuesday, researchers detected a new variant of ransomware in the wild. Dubbed “Bad Rabbit”, the malware has currently affected Russian websites and Ukrainian infrastructure assets. US officials report they know of many more infections in other areas of the world. Bad Rabbit shares up to two-thirds of its code base with Petya/NotPetya and functions much in the same way. The software uses the open-source DiskCryptor to encrypt the disk, CryptGenRandom to generate keys, and a hardcoded RSA public key for protection. Upon infection, the malware encrypts the system and redirects users to a Tor .onion link, where they must pay a 0.05 BTC fee (roughly $300) for the decryption key. Users trigger the infection when they download a malicious Flash update from a compromised website, and the malware uses the EternalRomance NSA exploit to spread further within a network.

What You Can Do

• Standard procedure – As IT professionals, we know how to protect our systems against common malware. Apply vendor patches quickly, especially for firewalls and AVs. Make sure you store your backups safely off-site and test them regularly. Educate your users not to independently download patches, and make sure your IT team has a solid process in place for rolling patches out. While the media likes to blow these incidents out of proportion, Bad Rabbit doesn’t offer anything particularly unique or dangerous, so your standard incident response processes should be fine. One more useful tip comes from Kaspersky, which states that blocking the execution of “c: windows infpub.dat” and  “C: Windows cscc.dat” could prevent infection.
• If you’re infected – Kaspersky has notified the public about a minor flaw in the malware. Bad Rabbit doesn’t actually wipe system memory after infection until the process terminates. This means that if you have the ability to debug the system, you may recover the key from memory. If you don’t have the ability to do so, we highly recommend you restore from a backup. Researchers have confirmed that Bad Rabbit does not wipe systems. Also unlike other variants of Petya, the decryption module works correctly and the attackers can provide the decryption key if you pay them. However, why pay someone holding your system hostage? Why give them money if you don’t have to? Why encourage others to do this same thing with new malware? Don’t pay them if you have a choice. Just make sure you use your off-site backups and patch your systems before restore to avoid re-infection

More Reading

• ZDNet Coverage
• BBC Coverage
• Kaspersky Report

Secure Compliance Solutions LLC (SCS) provides a wide range of CISO advisory consulting and managed security services to small- and medium-sized businesses. We help our clients navigate the increasingly complex world of cybersecurity, from advising executives on long-term cybersecurity objectives to training analysts and engineers on emerging trends and threats. With industry experts in cybersecurity policy and regulations, compliance, and system hardening and monitoring, SCS can help businesses address any cyber threats out there today, whether small or large, internal or external. We champion a strategy of readiness and resilience. No matter the threat, SCS can and will protect against it.