Bad Rabbit spreading across Europe just like its namesake

Same problem, different week in the cybersecurity world. A new ransomware called Bad Rabbit is spreading across Europe and a portion of the U.S. By last night, Avast antivirus had detected Bad Rabbit in at least one instance in the U.S. The attack started at some point yesterday, hitting Russian companies and spreading across the world from there.

So far the targets have been widespread, with 71% of the victims of Russian origin. Several Russia-based banks have reported they were hit, as have Russian websites Interfax and Fontaku.ru. Other countries Bad Rabbit has infected are Turkey, Germany and Bulgaria.

In Ukraine, at least one airport has been struck, as well as the Kiev subway system. The few U.S. companies that were hit have yet to be identified, but the attack vector has been located and a vaccine has been pushed out throughout the IT community.

Bad Rabbit reportedly gets onto a system by disguising as an Adobe software update. From there, the ransomware locks down files and drives, demanding .05 in bitcoin or roughly $280 for a decryption key. As always, urge your company not to pay the ransom. There’s little to no guarantee the creators behind Bad Rabbit will deliver, and even if they did your company’s money would go on to fund criminal activity.

The minds behind Bad Rabbit are thought to be Game of Thrones fans, as the ransomware contains several references to the popular HBO series. When on an infected system, Bad Rabbit creates several tasks in Windows named after the dragons in the show: Drogon, Rhaegal and Viserion. There is also a task related to a character in the show, named Grey Worm, with the names also appearing in the virus’ lines of code.

In the early hours of the attack wave, the program was flying under antivirus radar. Even though antivirus companies – such as Avast and Kaspersky – are aware of Bad Rabbit’s presence and tracking its spread now,  the ransomware may still creep past your defenses undetected.

Bad Rabbit travels laterally through a network via SMB, so one possible way it jumped into the U.S. is if the victims had partners based in Russia and both were on the same WAN with SMB access. It could have stolen the account information using Mimikatz or through an embedded list of easily cracked account names and passwords.

So how can you protect against Bad Rabbit? Thankfully, the solution is easier than investing in trained hunting dogs or trying to find a real-life Elmer Fudd.

The vaccine works against one of Bad Rabbit’s features that doesn’t allow it to “double-dip” into a previously infected network or an already encrypted system. You’ll want to create a file C:\Windows\infpub.dat & C:\Windows\cscc.dat. Then, go into each of the files’ properties and remove all permissions to both files. Then, remove the inheritance so the files don’t inherit the permissions of the C:\Windows folder.

When deploying, it should look like this:

echo “” > C:\Windows\cscc.dat&&echo “” > C:\Windows\infpub.dat

Icacls C:\Windows\cscc.dat /inheritance:r

Icacls C:\Windows\infpub.dat /inheritance:r

Then if you ever want to remove the extra files, run first:

Icacls C:\Windows\cscc.dat /inheritance:e

Icacls C:\Windows\infpub.dat /inheritance:e

Of course, while preventive measures are best, so are proactive measures such as having routine backups of system files. This practice is vital for any type of total shutdown and recovery process, but it’s become more and more important to have operational backups in light of ransomware and data destruction attacks.

Make Smarter Tech Decisions

Get the latest IT news, trends, and insights - delivered weekly.

Privacy Policy