Ransomware spreading like a Bad Rabbit
Bad guys do not get any dumber. Criminals take notice and learn from the successes and failures of cyber attacks. The lessons learnt from previous cyber attacks are integrated into the next generation of assaults.
Hence, following the high profile damage caused by WannaCry and Nyetya (NotPetya) earlier this year it was inevitable that attackers would seek to combine the self propagating features of those malware with traditional ransomware functionality.
Bad Rabbit was first detected on October 24 being distributed as a drive-by download. Users visiting compromised websites were prompted to install the malware masquerading as a fake Flash Player update. If users click to install the file, the malware executes on the victim’s machine and sets off a chain of events.
The malware checks for other computers on the same network and attempts to spread to infect them using a variety of techniques. In parallel, the malware acts to encrypt local files and demands the payment of a ransom in order to regain access to the encrypted files.
Protecting against threats such as these requires a multi-layered approach to security:
- Back up data. – Effective offline back-ups defeat all forms of ransomware. If files get encrypted they can simply be restored
- Block malware being downloaded. – Solutions such as Cisco Umbrella or Web Security Appliance (WSA) help prevent users from downloading malicious files.
- Segment networks. – Networks that are not segmented allow self-propagating malware to spread internally. Segment large networks into separate functional units using physical firewalls such as a Cisco Firepower system; or segment using software defined networking (SDN).
- Disable unnecessary services. – Only allow network services that you need to cross between segmented networks. If you don’t use desktop management services such as WMI, then disable these on endpoints. This removes some of the techniques used by malware, such as Bad Rabbit, to spread.
- Use endpoint protection such as Cisco Advanced Malware Protection for Endpoints (AMP). This can block malware executing and give visibility of when, where and how infections have occurred.
- User education. – Teach users about the dangers of drive-by downloads, in order to be wary of unprompted downloads when browsing.
Ransomware remains a profitable business model for criminals. Large criminal revenues from this activity depend on infecting large numbers of systems. Self-propagating ransomware which spreads within internal networks, such as we have seen with Bad Rabbit is likely to become an increasingly common technique. Organisations need to take steps to review their level of protection against this risk.