MyCERT Advisories


MyCERT Advisories, Alerts and Summaries for the year 2017

MA-686.102017: MyCERT Alert – Bad Rabbit Ransomware

Date first published: 25/10/2017


1.0 Introduction
MyCERT is aware of a new ransomware strain named Bad Rabbit infections occurring in networks within the eastern Europe, specifically Ukraine and Russia. The speed with which Bad Rabbit spread is similar to the WannaCry and NotPetya outbreaks that have hit in May and June this year, respectively.

The ransomware dropper was distributed with the help of drive-by attacks. While the target is visiting a legitimate website, a malware dropper is being downloaded from the threat actor’s infrastructure. No exploits were used, so the victim would have to manually execute the malware dropper, which pretends to be an Adobe Flash installer. Figure 1 shows the malicious code used in watering hole attack [1]. Figure 2 shows the ransom note found on the infected computer [2].



Figure 1: Code showing the injected script (source: http://blog.trendmicro.com).

 

Figure 2: Bad Rabbit ransom note taken from its Onion domain (source: www.zdnet.com).


2.0 Impact
 Once a PC has been infected within an organization, it will infect another PC through weak/known user credential and recovered user credential from infected PC.
 Afterward, infected PC hard disk will be encrypted and the owner is unable to access their PC until a ransom of $286 worth of Bitcoin is paid through Tor / Deep Web network.


3.0 Affected Products
 All Windows version with weak user authentication and allow remote SMB connection.


4.0 Recommendations
Users are advised to take the following preventive measures to protect their computer from ransomware infection:
a) Individuals and organizations are discouraged from paying the ransom, as this does not guarantee access will be restored. 
b) Immediately plug out the infected PC from the network.
c) Review network and system logs for evidence of the indicators provided.
d) Configure logging to capture sufficient information about executed software on servers and endpoints within your organisation. Specifically, for devices running Microsoft software, review the ASD Technical guidance for Windows event logging document [3] to identify any implementation gaps.
e) Review ASD’s Essential Eight controls in the strategies to mitigate cyber security incidents document [4] and assess whether you could implement any of the recommendations which would help resist infection by this type of malware.
f) Test application whitelisting controls to ensure that they are configured in such a way that they block unauthorized software;  
g) Reconsider the business need for operating SMBv1 and disable the feature wherever possible.
h) Investigate deploying Microsoft LAPS which ensures that each domain-joined host in an organisation has unique Local Administrator credentials, preventing ransomware from using the extracted credentials to spread laterally [5].
i) If you are using Windows 10, consider assessing the anti-ransomware folder protection feature [4] which was added in Windows 10 v1709 [6] for inclusion in a future standard operating environment (SOE) deployment.
j) Review logs for unusual SMB traffic.
k) Review logs for unusual usage of the Service Control Manager tool [7].
l) Ensure that important data is backed up to an offline location.


Generally, MyCERT advises the users of this software to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

Phone: 1-300-88-2999 (monitored during business hours)
Fax: +603 89453442 
Mobile: +60 19 2665850 (24x7 call incident reporting)
SMS: CYBER999 REPORT EMAIL COMPLAINT to 15888
Business Hours: Mon - Fri 09:00 -18:00 MYT
Cyber999 Mobile Apps: IOS Users or Android Users


5.0    References
  1. https://www.us-cert.gov/ncas/current-activity/2017/10/24/Multiple-Ransomware-Infections-Reported
  2. https://securelist.com/bad-rabbit-ransomware/82851/
  3. http://blog.trendmicro.com/trendlabs-security-intelligence/bad-rabbit-ransomware-spreads-via-network-hits-ukraine-russia/
  4. http://blog.talosintelligence.com/2017/10/bad-rabbit.html
  5. https://www.welivesecurity.com/2017/10/24/kiev-metro-hit-new-variant-infamous-diskcoder-ransomware/
  6. http://www.zdnet.com/article/bad-rabbit-ransomware-a-new-variant-of-petya-is-spreading-warn-researchers/
  7. https://www.asd.gov.au/publications/protect/windows-event-logging-technical-guidance.htm
  8. https://www.asd.gov.au/infosec/mitigationstrategies.htm
  9. https://technet.microsoft.com/en-us/mt227395.aspx
  10. https://blogs.technet.microsoft.com/mmpc/2017/10/23/stopping-ransomware-where-it-counts-protecting-your-data-with-controlled-folder-access/
  11. https://technet.microsoft.com/en-us/windows/release-info.aspx
  12. https://msdn.microsoft.com/en-us/library/windows/desktop/ms685150(v=vs.85).aspx