Bad Rabbit ransomeware

New Ransomware Infection “Bad Rabbit” Reported Around the World

There have been multiple reports of a new ransomware, dubbed “Bad Rabbit,” infecting computers in many countries around the world. This suspected variant of Petya ransomware is malicious software that infects a computer and restricts user access to the infected machine until a ransom is paid to unlock it.

As always, Herjavec Group advises against paying the ransom, as this does not guarantee that access will be restored. Using unpatched and unsupported software may increase the risk of proliferation of cybersecurity threats, such as ransomware.

We encourage users and administrators to review US-CERT Alerts TA16-181A and TA17-132A that describe these recent ransomware events. Please report ransomware incidents to the Internet Crime Complaint Center (IC3).

Additional Bad Rabbit Information

Initial analysis from various AV vendors shows that the Bad Rabbit malware it is a variant of the NotPetya sample.

It is not known yet if there is actual code re-use or if the tactics and strings were simply copied from analyzed versions of NotPetya.8

The malware has the ability to clear Windows event logs by using the Windows ‘wevtutil’ command.

One major difference seen in this malware, when being compared to NotPetya, is that the core Petya code is no longer present. Instead, the sample will drop the encryption system driver from the known legitimate DiskCryptor application. This sample will drop the encryption driver onto the local system as cscc.dat and then leverage it to perform disk encryption. The final payment screen is shown over TOR.

McAfee, Symantec, and Carbon Black all have released updated signatures for this ransomware.

Herjavec Group is proactively monitoring for all systems to ensure our client environments are up to date with the latest releases.

Proactive Mitigations and Recommendations

Herjavec Group’s Technical Account Managers have been working with Managed Security Services customers to apply additional signatures to clients with endpoint solutions related to the Bad Rabbit Ransomware.

We will seek client approval to deploy signature types and open tickets as required.

Herjavec Group follows best practices in blocking all types of malware from executing (Known, Suspect, and PUP). Additional rules to prevent unknown application types from reading process memory, or unknown applications from launching a command interpreter, will help contain threats capable of spreading via credential theft and lateral movement.

Possible mitigations include not only patching the known exploit, (as referenced in MS17-010), but also using Group Policy to disable local admin shares on systems.

Herjavec Group will continue to monitor activity around the Bad Rabbit Ransomware and publish revised releases accordingly. 

If the following advisory is applicable to your environment, Herjavec Group recommends your IT team review the technical details included and monitor your environment for any susceptible systems. Herjavec Group’s analysts are working with applicable vendor partners to apply detection and mitigation strategies where appropriate. For Managed Services customers, our Managed Services team will engage with the appropriate technical contacts in your respective organizations directly to provide alerts, escalations, actions and or reports based our service agreement with you. If you have questions or concerns, please engage your Herjavec Group account representative directly or contact
Herjavec Group

EZAssign Version 1.31 Pre-Release for Customers Attending Dreamforce this week? Look for EZAssign and EZProtect in the Developer Lounges!