It’s another day and another cyber attack headline in the media. This time it’s another ransomware-style attack; this one is called “Bad Rabbit”. According to media reports, it has impacted organizations in Russia and Ukraine mostly, with reports of some businesses in Turkey and Germany (and possibly in Poland and Japan) also being affected (that we know of so far).
Various vendors have reports on the infection mechanisms used. The consistent information in these is that various popular Russian and Ukrainian (and possibly Bulgarian) websites were the source of the initial stage of the attack. The attack is initiated by a dropper in the form of a fake Adobe Flash update being downloaded onto the visitors’ PC which is then executed. McAfee has provided a detailed write-up on the attack here. The Cylance blog highlighted 5 components featured in the ‘Bad Rabbit’ code:
- Two versions of Mimikatz used for credential theft
- Two versions of a signed driver used for physical access to boot sector and full disk encryption
- One module that infects the MBR and produces the ransomeware message
Once again, the attack is initiated by a web browser going to a trusted media website that was infected. Just two weeks ago, we saw a malvertising campaign against Pornhub via a third-party advertising provider.
No doubt we will see recommendations over the coming hours and days on how to mitigate ‘Bad Rabbit’. My guesses are we should expect experts to suggest:
- Removing Flash off your browsers (Adobe Flash patched another 0 day just last week used by the BlackOasis APT group)
- Using a browser extension such as Adblocker and/or NOscript
- Ensuring your browsers are patched and up to date
- Training your users not to click on suspicious links
- Making regular backups
- And so on.
Learn more about Menlo’s approach to solving the web browser risk via Isolation here.