How Deep Is The Bad Rabbit Hole?

How Deep Is The Bad Rabbit Hole?

How Deep Is The Bad Rabbit Hole?

WannaCry, NotPetya, and now Bad Rabbit! On October 24th, the third major ransomware campaign of 2017 hit Russia, Ukraine, and is now being reported globally. Although not as widespread as the first two attacks, Bad Rabbit has shut down 3 major media companies in Russia, along with Kiev Metro and Odessa International Airport.

Whilst the identity of the attacks remains unknown, they have failed to conceal their interest in Game of Thrones. The ransomware references Gray Worm, Drogon and Viserion throughout.

How is it spreading?
The ransomware has been spreading through infected websites, (some of which have been infected since June!), where users are prompted to download a fake Flash update. If a user downloads the file, and has the administrative privileges to run, the update_flash_player.exe file will encrypt files on the PC and ask for 0.05 bitcoin to decrypt.

The bad news is, much like the other vulnerabilities we have seen this year, this has the ability to spread laterally via SMB authentication brute force attacks. A list of common credentials has been hardcoded into the executable, along with the use of Mimikatz, a credential-harvesting tool.

How is Options protecting against it?
At Options, we are taking a multi-layered approach to protect the desktop estate of all clients.

  1. 100% compliance against the WannaCry/EternalBlue vulnerability across our desktop estate. While researchers confirm whether this ransomware leverages the same vulnerability, we are taking no chances. Only patched workstations are permitted on our platform (read more on our zero defects approach).
  2. Default group policies applied to all Options domain-joined Workstations. We have blocked executable files from running in the Windows default location. For example, the update_flash_player.exe would be blocked from running from any users downloads folder.
  3. SMB V1 disabled across the estate.
  4. Locking down administrator access. Our internal policy and advice to clients is to tightly control who in the organisation has administrator privileges. If the users don’t have this privilege, they cannot get infected.
  5. Alerting on any Brute Force Activity. We are taking full advantage of Splunk Enterprise to alert on Brute force logon attacks. Any behaviour detected is alerted to the security team and investigated.
  6. Enterprise Anti-Virus. We have enterprise level Anti-Virus software installed. This has the ability to detect the file and quarantine on the machine before it can be executed.

What Next?

Whilst this strain has been relatively well contained, we are seeing a major trend of hackers re-using existing malware for new attacks. We recommend you protect your estate against all known threats but don’t underestimate the importance of layering up security to help protect against the unknown!


Leave a Reply

Your email address will not be published. Required fields are marked *