Bad Rabbit Ransomware Attack
What is “Bad Rabbit” Ransomware?
Cyber attacks using malware called “Bad Rabbit” were reported in Ukraine and Russia beginning Tuesday, October 24th, causing disruptions to Ukraine’s transportation infrastructure, Russian media outlets, and several other organizations.
Trend Micro found that Bad Rabbit spreads via watering hole attacks that lead to a fake Flash installer “install_flash_player.exe”. Compromised sites are injected with a script that contains a URL that resolves to hxxp://1dnscontrol[.]com/flash_install, which is inaccessible as of the time of publication. We’ve observed some compromised sites from Denmark, Ireland, Turkey, and Russia where it delivered the fake Flash installer.
Forcepoint is also investigating the attacks and will have updates forthcoming. Security Labs have added the following protection updates in light of this attack:
- Real Time updates detect injections on websites compromised to serve the attack
- URL categorization for domains and strings that are hosting malicious components
- Malicious files are detected as W32/DiskCoder.A.gen!Eldorado and W32/DiskCoder.B.gen!Eldorado
What steps you should take to reduce the risk of an attack?
- Patch and update your systems, or consider a virtual patching solution.
- Enable your firewalls as well as intrusion detection and prevention systems.
- Proactively monitor and validate traffic going in and out of the network.
- Implement security mechanisms for other points of entry attackers can use, such as email and websites.
- Deploy application control to prevent suspicious files from executing on top of behavior monitoring that can thwart unwanted modifications to the system.
- Employ data categorization and network segmentation to mitigate further exposure and damage to data.
- Disable SMB (v1) on vulnerable machines – using either GPO or by following the instructions provided by Microsoft.
- Ensure that all of the latest patches (if possible using Virtual Patching solution) are applied to affected operating systems – especially the ones related to MS17-010 and any recent urgent security bulletins.
- Make sure your organisation implements a robust back up strategy so files are regularly backed up.
Trend Micro and Forcepoint products are already providing some protection against this threat in their latest versions.
Click to learn how you can protect your organisation using Trend Micro.
Click for up to date information and how Forcepoint can help you against this attack.
To get advice from our engineers about the latest “Bad Rabbit” ransomware, contact our support on 0845 567 8666 or email us at firstname.lastname@example.org.