Just when we thought 2017 has seen its share of ransomware attacks, yet another surfaced recently. Named BadRabbit, researchers have found out that it’s a rehash of NotPetya’s code. But thankfully has not been as effective as WannaCry or NotPetya. Among the affected, the most significant have been Ministry of Infrastructure, Ukraine, Odessa’s airport, Kiev’s subway and two other Russian media groups.
Resources suggest BadRabbit requests a ransom of .05 Bitcoin which roughly translates as $276 USD. Of the 15 countries which have been targeted so far, the most affected have been Russia, with 71 percent of detections observed, followed by Ukraine (14 percent) and Bulgaria (8 percent).
BadRabbit Used Russian-Based News Sites
Interfax and Fontanka, both Russian-based news websites, where used largely to spread the BadRabbit ransomware via what seems to be a watering hole attack. There were two goals behind the attack: 1) to collect money and 2) to disable the infected company’s operations. The injected malicious script prompted visitors to the website to download a fake Adobe Flash installer update. One executed, BadRabbit sets to work.
How Does BadRabbit Spread?
Having successfully infected a computer, BadRabbit goes on to infect other computers within the network by using a set of default login and password combinations used for lateral movement within the local network. It also makes use of Mimikatz, to extract other combinations used by the infected user.
Mimikatz exploits a process in Windows called LSASS (Local Security Authority Subsystem Service) which stores passwords used during various authentication sessions. It scans LSASS’ memory and collects various credential pairs and then dumps them out, which is then used by BadRabbit to encrypt remote shares and to spread to additional machines.
Preventing BadRabbit Ransomware Attack
If your Windows folder (c:\Windows\) contains a file named cscc.dat, then you are safe. If not, you can create this file by creating a text file and renaming it to cscc.dat and saving it in c:\Windows\ folder.
Additional security measures include:
Using Antivirus Package for Virus Protection: Comodo Antivirus does a great job of protecting your PC(s) virus protection. Although not effective against a ransomware this is a security precaution every PC user must take.
Keeping Your Software and Systems Up-to-Date: This can be done manually or in case you are running an enterprise, then by using Comodo Patch Management software, which allows system administrators to roll out security fixes in a systematic and timely fashion.
Using Endpoint Security Software: Way better than the above two options. And definitely a must-have if you have a network. Comodo Endpoint Protection is something which you can consider. Pretty effective against combating ransomware.
Taking General Precautions: Stay away from shady websites, exercise caution while downloading stuff, do not open any suspicious links or attachments from unknown senders and other similar stuff which can get your system infected. Be a cautious internet user, not a gullible one.
Our Comodo One group of products which offers services like Patch Management, Remote Monitoring and Management and other IT security essentials can be of great help to you if you wish to protect your networks from ransomware attacks like BadRabbit, Petya or Not-Petya and the likes of others as well.