UPDATED 21:43 EST / OCTOBER 25 2017

INFRA

Bad Rabbit ransomware: Here’s what enterprises need to know

More details are becoming available about a new form of malware dubbed “Bad Rabbit” that was first reported Tuesday.

The malware, said to be rapidly spreading through corporate networks in Russia, Germany, Ukraine and Turkey, is similar to the Petya family of ransomware in that it compromises targeted computers, encrypts data on them and then demands a payment of 0.05 bitcoin ($287) for the victim to receive a decryption key.

Chester Wisniewski, principal research scientist at Sophos Group plc, told SiliconANGLE that “it was only a matter of time before someone took the ideas from WannaCry and NotPetya and ran with them for another go at unsuspecting victims.”

Explaining how users are targeted, Wisniewski said that it appears this latest variation is being distributed via a fake Adobe Flash Player installer file. Enterprise users in particular should be concerned, he said.

“What makes this malware more dangerous than your typical ransomware being distributed in a similar manner is its ability to spread across an organization as a worm and not just through email attachments or vulnerable web plugins,” he said. “It is rumored to contain the same password stealing and spreading mechanism as NotPetya, allowing it to traverse an enterprise and cripple it in no time.”

Jakub Kroustek, malware analyst at Avast Software s.r.o., agreed with the relationship with previous forms of malware, saying that “we’re classifying Bad Rabbit as malware, with code resembling NotPetya.” Still, despite reports suggesting the malware is rapidly spreading, Kroustek said the incidence of known samples is quite low compared with the other common strains of malware.

Fatih Orhan, head of the Comodo Threat Intelligence Lab and Comodo Threat Research Labs, explained how new forms of malware and ransomware manage to spread: “New ransomware attacks like this utilize the window of time between when the new malware is first discovered and when a new virus signature or patch can be created and deployed by the many antimalware vendors.”

He added that it appears as an unknown file at the endpoint, tricking machine learning-based tools, so it’s allowed to enter and infect the system. “I strongly encourage chief information security officers to reevaluate their ‘default allow’ security posture and to evaluate next-generation auto-containment and other isolation technologies which protect against new threats like Bad Rabbit,” she said.

For those concerned about Bad Rabbit infections, security experts sang a similar tune about the need for enterprise users to better secure their networks. “The danger in new ransomware variants is the potential for spread to vulnerable devices,” Bitglass Inc. Chief Executive Officer Rich Campagna told SiliconANGLE. “Where endpoints are not yet updated to detect these zero-day attacks, cloud app threat protection can serve as an organization’s first line of defense. As ransomware evolves and becomes more potent, the ability to identify malware in the cloud based on the characteristics of a file as opposed to hash or signature-based scans can prove critical.”

Manoj Asnani, vice president of product and design at Balbix Inc. added that for organizations to defend against attacks such as Bad Rabbit, they need to have “instant visibility” into which of their assets are susceptible to the attack. To do that, he said, “security teams must have automated systems in place that can continuously monitor these type of attack vectors and provide vital information instantly when needed. Organizations without automation in place are at a huge defensive disadvantage against fast-spreading malware like this.”

For those interested in the technical aspects of how Bad Rabbit works, RiskIQ Inc. has a good rundown here.

Image: Maxpixel

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU