HKCert
Security Blog

New Ransomware "BadRabbit"

Release Date: 25 / 10 / 2017
Last Update: 25 / 10 / 2017

A new ransomware is widely spreading in Russia, Ukraine and several European regions. The name of the ransomware is BadRabbit, similar to NotPetya. So far, there is an identified infection scenario:

 

Means of distribution and impacts

A fake Adobe Flash installer may be downloaded to targeted system when a user accesses a compromised legitimate site. The ransomware infects the system as long as the user executes the fake installer with administrator privileges. The encryption process may start after the computer restarts.
  
The ransomware scans the victim's home or office network. In order to spread to other computers in the same network, the ransomware may try to log on with common credentials (e.g. default username and weak password) via WMI management tools. Furthermore, if other computers are found, it may try to use the EternalBlue exploit tool to attack the SMB vulnerability. 

Advice on prevention

If you want to protect yourself from this threat, follow these steps:
1.    Apply latest security updates to Windows and other applications, especially MS17-010;
2.    Regularly back up data and keep an offline copy;
3.    Only execute files from trusted sources e.g. download patches only from the official site;
4.    Use customized user name and strong password. Define a password policy to reduce relevant risks;
5.    Minimize the number of users who have administrator privileges to confine the scope and impacts of attacks, and limit the privileges of the accounts used in daily operation;
6.    Ensure the installation of anti-virus or Internet security software, and keep its signature updated;
7.    Ensure your personal firewall is turned on to block incoming SMB connections; and
8.    Do not open links and attachment in any suspicious emails.

For more information:


BadRabbit: New ransomware wave hitting RU & UA
https://isc.sans.edu/diary/rss/22964
Multiple Ransomware Infections Reported
https://www.us-cert.gov/ncas/current-activity/2017/10/24/Multiple-Ransomware-Infections-Reported