Threat Flash Alert
Likelihood (SOD Customers): LOW
It looks as though Bad Rabbit (an almost NotPetya clone) is another targeted attack against Russian and Ukrainian entities with broader, unintended infection vectors outside their borders, not an attempted “cash in” on the recent widespread ransomware outbreaks. Samples studied of the malware lacked the EternalBlue (CVE-2017-0143 and CVE-2017-0144) spreading mechanism present in most ransomware created after the WannaCry outbreak back earlier this year, but will steal locally cached credentials with MimiKatz. Due to the interconnectivity of the global business environment, companies with business units in Eastern Europe could be vulnerable to an infection depending on network connections with other companies or entities in the region.
Security On-Demand (SOD)Actions
SOD continues to monitor the events closely. Our Security Operations Center is on high alert and hunting for applicable indicators across all of our clients. We are tracking connections to known domains and IP addresses, anti-malware alerts, and event log changes among other indicators. We will immediately inform our customers of any indication that an infection may be occurring or has occurred in your network. **If you have not received a critical notification from us, then we have not detected any Bad Rabbit activity in your monitored computing environment.**
Yesterday’s Ransomware outbreak was identified as being an almost cloned version of the NotPetya ransomware released back in June, albeit lacking the EternalBlue spreading mechanism. The outbreak started in the Ukraine and recently spread into Russia and Europe, with infections in a handful of different countries, the United States indicated within only 1% of the infections. It is increasingly becoming likely that this was a targeted attack against media outlets, as confirmed by Interfax (a Russian Media Outlet) Tuesday morning when they said in a statement that their servers were offline due to a virus attack. Group-IB (a Russian security firm) said at least three Russian media outlets have been affected.
What is the infection vector?
The malware is distributed when visitors to a compromised website download a dropper executable masquerading as a Flash Player install.
Once infected, what happens?
Once infected, the malware drops the file infpub.dat into the %SystemRoot% folder and runs it as “rundll32.exe %SystemRoot%\infpub.dat,#1 15”. It then uses the Mimikatz tool designed to steal locally cached domain or admin credentials to facilitate its spread through the victim’s network. It also uses a set of hardcoded usernames and passwords to attempt to brute force its way into other hosts in the environment. This ransomware encrypts drives and overwrites the Master Boot Record (MBR) to present the ransomware screen.
How does it spread?
The ransomware does do some things differently than the NotPetya code: It attempts to clone. It seems to lack the EternalBlue spreading mechanism popular in recent outbreaks and also clears windows logs generating an event 1102 “audit log has been cleared” log along with an event 106 indicates that “scheduled tasks ‘Drogon’ and ‘Rhaegel’ have been registered.”
The main vectors used to spread this ransomware:
- Hard-coded credentials brute forcing the network
- A stripped-down Mimikatz to discover credentials for propagation
- WebDAV for local self-propagation
This malware does immense damage. Currently, the recovery of data is possible but unlikely, and as a result, without backups, that data is effectively lost. The slow-spreading nature of it along with the manual execution of the payload reduces the risk of infection significantly.
- Update A/V and IDS/IPS systems. Most have pushed updates to identify and block infection.
- Keep MS Windows systems up-to-date. Specifically, ensure you have applied patched addressed in MS17-010.
- Disable ports 139 and 445 if not required for business purposes
- Create the following files c:\windows\infpub.dat && c:\windows\cscc.dat and remove ALL PERMISSIONS (inheritance)
This is the new normal
The Ransomware problem is not going away anytime soon. As evidenced by NotPetya, Wcry, Petya, and other outbreaks, there is money to be made, and it works since many unprepared companies will simply pay the ransom. To prepare yourself for Ransomware and other malware attacks it is critical that companies do the following:
- Develop and war-game a Disaster Recovery plan
- Develop and war-game an Incident Response plan, with specific focus on Ransomware
- Backup your data and shield those data stores from other parts of the network to prevent the backups from being encrypted as well.
- Implement a Ransomware policy that will govern the company’s response to a ransomware infection. (E.g., will you or will you not pay the ransom?).
Additionally, use of exploitation techniques developed by nation state elements, such as the National Security Agency, that have been released into the wild will continue to be used by hackers to improve the likelihood of success. Software vendors such as Microsoft release patches and updates regularly that address the vulnerabilities targeted by such exploits. If you do not already have a defined patching policy and process, it is important that one is developed. Keeping your systems up to date and isolating those that cannot be updated is critical.