Additional Bad Rabbit Information
Initial analysis from various AV vendors shows that the Bad Rabbit malware it is a variant of the NotPetya sample.
It is not known yet if there is actual code re-use or if the tactics and strings were simply copied from analyzed versions of NotPetya.8
The malware has the ability to clear Windows event logs by using the Windows ‘wevtutil’ command.
One major difference seen in this malware, when being compared to NotPetya, is that the core Petya code is no longer present. Instead, the sample will drop the encryption system driver from the known legitimate DiskCryptor application. This sample will drop the encryption driver onto the local system as cscc.dat and then leverage it to perform disk encryption. The final payment screen is shown over TOR.
McAfee, Symantec, and Carbon Black all have released updated signatures for this ransomware.
Herjavec Group is proactively monitoring for all systems to ensure our client environments are up to date with the latest releases.
Proactive Mitigations and Recommendations
Herjavec Group’s Technical Account Managers have been working with Managed Security Services customers to apply additional signatures to clients with endpoint solutions related to the Bad Rabbit Ransomware.
We will seek client approval to deploy signature types and open tickets as required.
Herjavec Group follows best practices in blocking all types of malware from executing (Known, Suspect, and PUP). Additional rules to prevent unknown application types from reading process memory, or unknown applications from launching a command interpreter, will help contain threats capable of spreading via credential theft and lateral movement.
Possible mitigations include not only patching the known exploit, (as referenced in MS17-010), but also using Group Policy to disable local admin shares on systems.
Herjavec Group will continue to monitor activity around the Bad Rabbit Ransomware and publish revised releases accordingly.