What’s Up?

Rapid7 has been tracking reports of an expanding ransomware campaign dubbed BadRabbit. Russian news outlets and other organizations across Europe have reported being victims of this malware and the “outbreak” is continuing to spread.

The BadRabbit attackers appear to have learned some lessons from previous outbreaks earlier this year and have both limited the external spreading capabilities of the ransomware as well as made the payments a bit harder for researchers, responders and authorities to track.

The main entry point is a prompt to install an update to Flash, but the ransomworm is also capable of gaining a foothold across a victim's network once a system is infected.

It would be a good idea to hold off on clicking any 'update' button until endpoint and perimeter protection vendors have had a chance to fully analyze this new threat and generate configurations for their products and update filtering options for their appliances.

What Can You Do?

Don’t click “Update” on anything for a while. That may sound strange, but if you’re in a managed organization, your IT department should be controlling when updates happen. If you are an individual user, there will be more short-term harm in clicking an unfamiliar “update” button then there will be in holding off for an extra day or two.

If you are in an organization and believe your system has been impacted, report the incident through your standard reporting processes.

The best route for individuals impacted is to restore from backup or start a fresh installation and recover as much as possible from other means. It is not recommended that anyone pay the ransom, especially since there has been no widespread confirmation that decryption keys are provided upon receipt of payment (which is in Bitcoin). Indeed, since the unrecoverability of NotPetya came to light, it appears that the salad days of ransomware are over; it’s very difficult to trust online criminals anymore.

Stay Alert!

Rapid7 is continuing to monitor the spread of ‘BadRabbit’ and will post updates as news happens. The following links provide additional information and resources for understanding this latest ransomware attack.

Update October 27, 2017

Information on BadRabbit continues to trickle in as more researchers have opportunity to dig into the malware and investigate its composition and behavior.

Cisco's Talos team appears to have confirmed that this ransomware uses techniques found in the exploits released by the Shadow Brokers earlier this year. Those holes were patched by Microsoft even prior to the Shadow Brokers dump, meaning that an effective and timely patching program continues to be one of the best ways to ensure you are not impacted by future attacks that employ exploits from these now-known vulnerabilities.

We can say for certain that this won't be the last major ransomware case and can also say with very high confidence there will be more opportunistic and targeted campaigns that use techniques, as well as components, from the Shadow Brokers May 2017 exploit dump. Knowing this, it's more important than ever to:

  • Patch. Patch. Patch. Previous, wide-scale, debilitating ransomware attacks this year could have been prevented with patching, and attacks that utilize components from the Shadow Brokers dump are mitigated with the patches released by Microsoft.
  • Emphasize awareness. This new campaign relied heavily on user interaction. This reliance is very likely the central reason it has not spread as fast since it presents a fairly sketchy Flash update prompt that an increasing number of users know better than to click on.
  • Control configurations. Admin-level privileges were also required for this bit of ransomware to take hold on a system. Ensuring you have solid control over user endpoints can go a long way into helping prevent future, similar attacks.

Banner image (used CC-BY-SA) by Eric Ward