BadRabbit makes me WannaCry again

A new strain of Ransomware called BadRabbit has been causing problems for media and transportation companies in Russia and the Ukraine. In spite of the headline (which we couldn't resist) the attack seems to have more code in common with Not-Petya rather than WannyCry. However, there is only a 13% match so attribution is uncertain at this point. Unlike WannaCry, BadRabbit does not spread from network to network unassisted, though it does attempt to spread to other Windows computers on the same network. The initial infections appear to have been due to a watering hole attack. Several popular websites were compromised. They had javascript added to them which would prompt visitors to download a fraudulent update to Adobe Flash. Once installed, BadRabbit attempts to spread within the network using a hard coded list of popular credentials, WebDAV, and possibly the EternalBlue vulnerability, though the last has not been confirmed. There is no evidence of any distribution of this attack by spam email or targeted phishing attacks. Most anti-virus packages are now detecting and blocking Black Rabbit, so it is unlikely to spread further. However, the basic precautions that would have prevented it spreading are still good advice:
  • Don't run Flash
  • Use strong passwords
If you must run Flash sometimes, install it in a separate browser, and don't have it on the browser you use most of the time. Above all, make sure your updates are only coming from Adobe, not from other websites, even if they appear to be reputable. Watering hole attacks of this type reveal the difficulty of attribution and the dangers of hacking back. The sites that were distributing the malware were not responsible for the attack. They were themselves victims of a previous attack intended to set up this one. If a security researcher determined that they had received malware from one of these sites and launched a counter attack to take it down, they would be attacking another victim rather than the real perpetrator. In view of the relatively narrow geographic and industry targeting it is likely that this attack is politically motivated rather than simple extortion. As of the time of writing, there do not appear to be any ransom payments made to the bitcoin wallets associated with this attack. The attack would have been much more devastating if the original watering holes had been more widespread. Ransomware as a threat is not going away, and though this may have come from a nation state actor, the barriers to entry are getting lower. Luckily the defenses are getting better as well. Microsoft has introduced a new Windows Defender feature called Controlled Folders which is intended to give additional protection against ransomware. It is currently disabled by default, and may not protect against all attacks, but it is a good start. Over time I expect that Microsoft will win the battle against ransomware on the Windows platform. Here are some links for further information on BadRabbit. If you liked our headline, you'll love The Register's