Bad Rabbit Ransomware: What It Is & How to Stop It
In 2017, a ransomware variant called Petya spread across North America hitting corporate giants like Merck and FedEx. The virus is so serious that some affected companies were faced with the fact that their data was simply not recoverable.
In fact, FedEx and other affected companies faced material financial impact in light of the attack. Merck also experienced financial losses of over $275 million, prompting many businesses to take a second look at cybersecurity insurance strategies.
Some companies decided to hire more cybersecurity experts, while others decided to approach Managed IT Service Providers (MSPs) like ITS to solve their concerns.
But where did Bad Rabbit Ransomware come from, and how can you currently protect your business from it?
Where does Bad Rabbit Ransomware Come from?
Bad Rabbit ransomware is a suspected variant of Petya ransomware. Like most malware viruses, Petya has morphed into countless variants over time. The latest potential Petya variant has been dubbed Bad Rabbit and has already affected systems at three Russian websites, an airport in Ukraine and an underground railway in the capital city of Kiev, according to BBC. Even worse, Bad Rabbit showed no signs of stopping as it spread rapidly across Russia, Ukraine, Germany and into North America.
Leading antivirus security company, Avast, reported that the Bad Rabbit virus had made its way to the US. Though specific breach details are difficult to come by, the US Department of Homeland Security (DHS) issued a warning about Bad Rabbit stating:
“US-CERT has received multiple reports of Bad Rabbit ransomware infections in many countries around the world. This suspected variant of Petya ransomware is malicious software that infects a computer and restricts user access to the infected machine until a ransom is paid to unlock it. US-CERT discourages individuals and organizations from paying the ransom, as this does not guarantee that access will be restored. Using unpatched and unsupported software may increase the risk of proliferation of cybersecurity threats, such as ransomware.”
DHS urged individuals and businesses to take notice and be vigilant in the face of this latest malware attack. To combat the threat, DHS is urging IT professionals to review US-CERT Alerts TA16-181A and TA17-132A, each of which describes recent ransomware events.
While cybercriminals can often be hard to track and prosecute, DHS is urging professionals to recognize the importance of making explicit reports in the case of an attack. The organization asked any potential victims of Bad Rabbit to report ransomware incidents to the Internet Crime Complaint Center (IC3) immediately.
What does Bad Rabbit Ransomware do?
Bad Rabbit might sound like a goofy cartoon character but the impacts of this ransomware variant are no laughing matter. The Bad Rabbit virus works swiftly to encrypt the contents of a computer and asks for a payment of 0.05 bitcoins, or about $280 (£213), according to recent reports.
The ransomware masquerades itself as a convincing update for Adobe Flash, and once downloaded it attempts to spread within victims’ networks, according to The Wall Street Journal. In reality, of course, the attacks “do not utilize any legitimate Flash Player updates nor are they associated with any known Adobe product vulnerabilities,” warns an Adobe spokeswoman.
How do you stop Bad Rabbit Ransomware?
In the face of this looming cyber threat, professionals have one question: how can I protect my business from Bad Rabbit? Cybersecurity professionals across the country have been working to identify concrete ways to prevent the Bad Rabbit virus and help business owners stop the cybercriminals in their tracks.
Steps to stop Bad Rabbit Ransomware
A Massachusetts researcher from Cybereason claimed that he has a vaccine to protect clients from Bad Rabbit. Following this short series of fool-proof steps will automatically vaccinate your company’s computers, laptops, and other devices, keeping them safe from Bad Rabbit invasion:
1. Create two files: C:\Windowsinfpub.dat & C:\Windowscscc.dat.
Go into each of the file’s properties and remove all permissions to both files. When doing this, remove the inheritance so the files do not inherit the perms of the C:\Windows folder.
2. Monitor your Event Logs.
Microsoft states that since Bad Rabbit will clear the event logs and create various scheduled tasks under the names Drogon, Rhaegal and Viserion, business owners can monitor their event logs to proactively detect this type of malicious activity.
Watch out for these two events in particular:
Event 1102 – this indicates that the audit log has been cleared
Event 106 – this indicates that a scheduled task has been created.
3. Keep Microsoft Defender up to date.
Microsoft has also been working diligently to issue threat reports regarding Bad Rabbit. They refer to Bad Rabbit as Ransom:Win32/Tibbar.A. and state that Windows Defender can detect the ransomware using detection updates 255.29.0 and higher.
4. Get system administrators to attach a scheduled task to Events 1102 & 106 that will run a specified command if the events are detected.
This command, for example, could require an email or alert to be sent to an administrator. If these events are detected proactively, they could offer an indication that the computer has been scheduled for a shutdown. Microsoft suggests business owners can then abort this process by using the shutdown-a command.
Ready to protect your company from Bad Rabbit - and future - ransomware?
When threatening and complicated reports of ransomware hit the news waves, it can understandably leave business owners feeling paralyzed – unsure of how to best implement strategies for prevention and protection. Now is the time for proactive IT.
If you’re worried about Bad Rabbit and its ability to take hold of your critical business data and not sure how to best protect your business, read 4 Tips to Protect Your Small Business from Ransomware. Whatever you do, don’t wait to fall down the rabbit hole.