Chelmo, Brook. “Bad Rabbit Ransomware: The Latest Attack.” SonicWall, October 24, 2017
What Is Bad Rabbit Ransomware?
On Tuesday, Oct. 24, a new strand of ransomware named Bad Rabbit appeared in Russia and the Ukraine and spread throughout the day. It first was found after attacking Russian media outlets and large organizations in the Ukraine, and has found its way into Western Europe and the United States. The initial installer masquerades as a Flash update but is believed to be an updated version of NotPetya, since the infection chain and component usage is identical. Interestingly, this malware contains a list of hardcoded Windows credentials, most likely to brute force entry into devices on the network. According to SonicWall Capture Labs Threat researchers, Bad Rabbit spreads using the SMB protocol within Windows. We should think of it as a bug fix maintenance release of NotPetya (within EternalBlue method of propagation removed). The purpose of using the SMB protocol is to spread laterally across an organization.
Are SonicWall Customers Protected from Bad Rabbit?
Yes. SonicWall Capture Labs released signatures to protect against Bad Rabbit malware, which are available for anyone with an active Gateway Security subscription (GAV/IPS). In addition, SonicWall Capture Advanced Threat Protection (ATP) sandboxing service is designed to provide real-time protection against new strains of malware, even before signatures are available on the firewall. SonicWall Capture ATP customers will be protected against new forms and copycat versions of this malware. Multiple variations of this ransomware strain have been processed in Capture ATP, with a 100 percent success rate of catching it.
How Can I Stop Ransomware Like Bad Rabbit?
SonicWall customers should immediately ensure they have the Capture Advanced Threat Protection sandbox service turned on with their next-generation firewalls, and have the Block Until Verdict feature activated. For Bad Rabbit, there is no need to manually update the signatures on SonicWall firewalls, as they are automatically propagated to the worldwide installed base upon deployment.
General recommendations for everybody, regardless of their security vendor, include:
- Apply all patches to operating systems
- Protect endpoints with an up-to-date anti-virus solution
- Promote good password hygiene policies
- Ensure firewall and end point firmware is current
- Implement a network sandbox to discover and mitigate new threats
- Deploy a next-generation firewall with a gateway security subscription to stop known threats