Bad Rabbit – Are you vulnerable ?
A new ransomworm, dubbed “Bad Rabbit,” is rapidly spreading throughout Europe.
On the morning of October 24, a new ransomworm epidemic was discovered. The malware was mostly spotted in the Ukraine and Russia, but also in Turkey and Germany.
According to publications, the targets damaged include news media networks, Kiev’s metro systems, government departments, and more.
Consistent with initial analyses, the malware is not exploiting known vulnerabilities, but taking advantage of the misconduct and of internal employees who are not following security procedures.
The malware spreads by a “waterhole tactic” whereby the user visits a legitimate, but vulnerable news site. The site then forwards the user to a malicious site, which is remotely controlled by the attackers. On the malicious site, the user is tricked into downloading fake updates for Flash software. Once victims start downloading the update, they are already infected.
As soon as the malware compromises a system it employs several techniques in order to extract credentials and then uses those to further spread within the network.
The malware spreads to other machines using a similar method to the NotPetya virus that exploded across the world in June 2017.
Immediate Precautionary Steps:
- Update your AV on: end stations, servers, and mail servers.
- It is highly recommended to block communication between your network and the malware infection servers at the 188.8.131.52 and 1dnscontrol.com hosts.
- Creating the files: c:windowsinfpub.dat and c:windowscscc.dat then restricting any permissions to them (even inheritance privileges) can help stop the infection.
- We also recommend preventing your internal users from directly downloading any .exe file (by using the organization’s proxy).
- If possible, restrict any communication between end users using the SMB protocol.
- If you have a VPN connected to the Ukraine it should be monitored more often over the next few weeks, specifically for SMB traffic.
- In the aforementioned case, we suggest restricting the use of local admins and to use different accounts.
Are you vulnerable?
Click here if you wish to find out.