A new strain of Ransomware called BadRabbit has been causing problems for media and transportation companies in Russia and the Ukraine. In spite of the headline (which we couldn’t resist) the attack seems to have more code in common with Not-Petya rather than WannyCry. However, there is only a 13% match so attribution is uncertain at this point.
Most anti-virus packages are now detecting and blocking Black Rabbit, so it is unlikely to spread further. However, the basic precautions that would have prevented it spreading are still good advice:
- Don’t run Flash
- Use strong passwords
If you must run Flash sometimes, install it in a separate browser, and don’t have it on the browser you use most of the time. Above all, make sure your updates are only coming from Adobe, not from other websites, even if they appear to be reputable.
Watering hole attacks of this type reveal the difficulty of attribution and the dangers of hacking back.
— Group-IB (@GroupIB_GIB) October 24, 2017
The sites that were distributing the malware were not responsible for the attack. They were themselves victims of a previous attack intended to set up this one. If a security researcher determined that they had received malware from one of these sites and launched a counter attack to take it down, they would be attacking another victim rather than the real perpetrator.
In view of the relatively narrow geographic and industry targeting it is likely that this attack is politically motivated rather than simple extortion. As of the time of writing, there do not appear to be any ransom payments made to the bitcoin wallets associated with this attack.
The attack would have been much more devastating if the original watering holes had been more widespread. Ransomware as a threat is not going away, and though this may have come from a nation state actor, the barriers to entry are getting lower. Luckily the defenses are getting better as well. Microsoft has introduced a new Windows Defender feature called Controlled Folders which is intended to give additional protection against ransomware. It is currently disabled by default, and may not protect against all attacks, but it is a good start. Over time I expect that Microsoft will win the battle against ransomware on the Windows platform.
Here are some links for further information on BadRabbit. If you liked our headline, you’ll love The Register’s
- The Register: Watership downtime: BadRabbit encrypts Russian media, Ukraine transport hub PCs
- CSO: BadRabbit ransomware attacks multiple media outlets
- welivesecurity: Bad Rabbit: Not-Petya is back with improved ransomware
- Royce Williams: badrabbit-info.txt