Starting on Tuesday, October 24th, reports of a new strand of ransomware dubbed Bad Rabbit, began appearing in Russia and Ukraine. The virus is a wide-reaching and fast-spreading malware infection that initially targeted media and government institutions in Europe.
The virus targeted institutional giants in Ukraine including a local airport, the Ministry of Infrastructure and Kiev’s public transportation system. Russia experienced similar hits to critical agencies including Interfax, a local news service that recently issued a statement to announce they had been hacked and were working to restore their network. Initial reports about the Bad Rabbit virus note that the virus is specifically attacking media outlets, and an additional Russian newsgroup, Fontanka.ru, was also affected.
“Our researchers have detected a number of compromised websites – all news or media sites,” said Russian security company Kaspersky in a recent blog. “Based on our investigation, this is a targeted attack against corporate networks, using methods similar to those used in the Not Petya and ExPetr attack. However, we cannot confirm officially that it is related to ExPetr.”
Regardless of its origins, experts agree that Bad Rabbit now joins NotPetya and WannaCry as another of 2017’s major ransomware-style malware epidemics.
Touching Down in the US: Bad Rabbit Spreads to North America and Has US Department of Homeland Security Taking Notice
Early Wednesday morning, leading anti-virus security company, Avast, reported that the Bad Rabbit virus had made its way to the US. Though specific breach details are difficult to come by, the US Department of Homeland Security (DHS) issued a warning about Bad Rabbit yesterday stating:
“US-CERT has received multiple reports of Bad Rabbit ransomware infections in many countries around the world. This suspected variant of Petya ransomware is malicious software that infects a computer and restricts user access to the infected machine until a ransom is paid to unlock it. US-CERT discourages individuals and organizations from paying the ransom, as this does not guarantee that access will be restored. Using unpatched and unsupported software may increase the risk of proliferation of cybersecurity threats, such as ransomware.”
DHS urged individuals and businesses to take notice and be vigilant in the face of this latest malware attack. To combat the threat, DHS is urging IT professionals to review US-CERT Alerts TA16-181A and TA17-132A, each of which describes recent ransomware events.
While cybercriminals can often be hard to track and prosecute, DHS is urging professionals to recognize the importance of making explicit reports in the case of an attack. The organization asked any potential victims of Bad Rabbit to report ransomware incidents to the Internet Crime Complaint Center (IC3) immediately.
So, How Does It Work? Understanding How Bad Rabbit Takes Business Networks Hostage
Bad Rabbit relies on fooling potential victims and having them play an active role in the infection. The initial virus installer masquerades as an Adobe Flash update. Interestingly, this malware contains a list of hardcoded Windows credentials, most likely to allow brute force entry into devices, on the network, according to SonicWall Capture Labs Threat researchers.
While the virus might sound like a goofy cartoon character, the impacts of this ransomware variant are no laughing matter. The Bad Rabbit virus works swiftly to encrypt the contents of a computer and asks for a payment of 0.05 bitcoins, or about $280 (£213), according to recent reports. Even worse? The domain then flashes a countdown on the screen, giving victims limited time to pay-up before the ransom price increases.
However, as a rule of thumb, anyone infected is discouraged from paying the ransom. For one, there is absolutely no guarantee that the payment will restore data access. Secondly, much like the refusal to negotiate with terrorists, refusing to pay the ransom discourages criminals from using similar attacks in the future. If victims don’t pay, cybercriminals will realize their attempts at robbery won’t pay off.
Are SonicWall Users Safe? SonicWall’s Swift Response to Bad Rabbit
SonicWall users rejoice! Yes, SonicWall Capture Labs has released signatures to protect users against Bad Rabbit malware. These protections are available for anyone with an active SonicWall Gateway Security subscription (GAV/IPS). In addition, SonicWall’s Capture Advanced Threat Protection (ATP) sandboxing service is designed to provide real-time protection against new strains of malware even before signatures are available on the firewall.
While SonicWall has protections in place, users should actively ensure their networks are set up correctly to prevent infection. First and foremost, SonicWall customers should immediately ensure they have the Capture Advanced Threat Protection sandbox service turned on with their next-generation firewalls.
Additionally, SonicWall users should ensure that the Block Until Verdict feature is activated. For Bad Rabbit protection, there is no need to update the signatures on SonicWall firewalls, as they are automatically propagated to the worldwide installation base upon deployment.
Stopping the Bad Rabbit: Ensuring SonicWall Features are Set Up to Protect
To confirm that SonicWall Capture ATP is enabled login to the firewall and navigate the following steps:
- For SonicOS 6.2 and earlier click Capture ATP | Settings. Ensure that “Block file download until a verdict is returned” is enabled.
- For SonicOS 6.5 and later click Manage | Security Services | Capture ATP. Ensure that “Block file download until a verdict is returned” is enabled.
To confirm your Gateway Anti-Virus has the latest signatures navigate to:
- For SonicOS 6.2 and earlier click Security Services | Gateway Anti-Virus. Use the search box and type “”
- For SonicOS 6.5 and later click Manage | Security Services | Gateway Anti-virus. In the lookup search string box type “BadRabbit.“
In addition to these specific and technical protections, SonicWall has released a list of general recommendations for everybody, regardless of their security vendor, including:
- Ensure all OS patches are applied
- Use a reliable and up-to-date anti-virus solution to protect end-points
- Ensure firewall and endpoint firmware are current and reliable
- To proactively identify and mitigate new threats, install network sandboxing
- To stop pre-existing threats, deploy a next-generation firewall with a gateway security subscription
Don’t Let Cybercriminals Dupe You, Your Clients or Colleagues: Banding Together to Keep Bad Rabbit from Spreading
As news around Bad Rabbit continues to develop, US business professionals should be on high alert – working deliberately to monitor and protect their business networks and implement security measures like those outlined above. Be wary of Adobe Flash download prompts. Talk to other business professionals to spread the word.
If you’re worried you’ve been affected or could be affected, reach out to a local cybersecurity expert for guidance and consultation. When professionals band together proactively, cybercriminals can and will be stopped in their tracks. Until then, stay alert, stay vigilant and stay tuned for more SonicWall updates.
Author: Aaron White, Date: 26th October 2017