Bad Rabbit? When I grow up I want to get the job of naming malware attacks and exploits. The first image that comes to mind for me when I hear “Bad Rabbit” is Frank from the 2001 movie Donnie Darko, but now it has a new association. Bad Rabbit, in its current context, is the name of a new ransomware attack that spread across Russia and Ukraine earlier this week—eventually leaching out to Poland and South Korea as well, and eventually to the United States.
[Related Reading: What Is Ransomware?]
Spreading Bad Rabbit Virus
The primary infection source for Bad Rabbit has been from Russian, Ukrainian, Bulgarian and Turkish news sites, which redirect to a malicious server to download the actual malware. At this time, the server is still not disabled.
There are two “silver lining” caveats that should prevent Bad Rabbit from propagating wildly across the world—or at least slow it down significantly compared with other ransomware attacks.
- Bad Rabbit only affects machines running the Windows operating system.
- The infection requires user interaction. Bad Rabbit relies on a traditional drive-by download approach rather than exploits. The malware dropper is disguised as an Adobe Flash Player install. When a user takes action to install the fake Adobe Flash—and grants permission through the Windows UAC prompt—the malware installs.
Once the initial machine is infected, Bad Rabbit attempts to move laterally through Windows SMB and network shares in an effort to compromise additional endpoints. It still doesn’t exploit vulnerabilities, though. It attempts to scrape the memory of the infected machine for password hashes and uses any valid credentials it finds to attempt to login and infect other machines. Bad Rabbit also has a list of common passwords to fall back on if the memory scraping doesn’t yield any useful results.
What You Should Know about Bad Rabbit Malware
There’s a lot we still don’t know about Bad Rabbit, such as how the websites where the ransomware originated were compromised in the first place. The little bit we know so far, though, is useful and can help you avoid becoming a victim of Bad Rabbit.
On the one hand, because there are no vulnerabilities being exploited—and therefore no exploits being executed—there is nothing to patch or scan for. Guarding against Bad Rabbit comes down primarily to security awareness, security policies, and security best practices. Organizations that rely on least privilege access and don’t grant users local admin rights on their machines should be protected because those users don’t have the authority to enable Bad Rabbit to get past Windows UAC.
There actually is one DIY hack that has been suggested by Amit Serper that would prevent infection as well. You can create files c:\windows\infpub.dat and c:\windows\cscc.dat and then remove all permissions for the files—including inherited permissions—to prevent access.
Finally, while there is no direct way to scan for Bad Rabbit, there are ways to look for it based on what we know about how it infects and spreads across machines. By watching for excessive failed login attempts from Windows machines, or signs of unusual cross-connection activity on your network, you might be able to detect a compromised machine and take action before the threat can spread any further.
Alert Logic can monitor for transfers the .dat files used by Bad Rabbit. However, we have not yet seen any Bad Rabbit activity with our customers.
There is emerging speculation that Bad Rabbit may also include the EternalBlue or EternalRomance exploits leaked from the NSA. Alert Logic researchers recognize where the speculation is coming from, but do not presently believe there is functional code in Bad Rabbit to allow it to execute those exploits. We will continue to investigate and monitor for changes in the way Bad Rabbit behaves or spreads.