The latest ransomware threat to the corporate world is called “Bad Rabbit”. It can have considerable and damaging effects, but protecting your organization is fairly straightforward.
The number of ransomware attacks continues to grow, and these in turn continue to affect businesses and individuals.
In this NNIT Security Insights article, we take a look at the latest such version, called Bad Rabbit, and provide some tips as to what protection steps businesses can take.
Ransomware is a type of malicious software that threatens to publish data or permanently block access to it unless a ransom is paid. We wrote about this in an earlier article entitled Ransomware 101.
Whilst Ransomware was originally mainly an issue for individuals and their home PCs, attacks are focusing more and more on organizations, and this is resulting in large parts of their IT systems being taken offline.
Examples from this year include the WannaCry variant, that occurred in May 2017, and the NotPetya variant, that occurred in June 2017. Both of these variants used an exploit known as EternalBlue in order to propagate across a network’s PCs and servers, and both affected the business operations of a number of major organizations.
Bad Rabbit was first seen in October 2017, and this ransomware variant encrypts a user’s computer or server file tables, which causes the device to stop working. It is believed that the variant was distributed through a bogus multimedia software update, with affected users becoming victims whilst they browsed malware-infected websites.
The Ransomware poses a threat because it is widespread, and because it has the ability to spread over the network when a device has been infected. In addition, if the malware gets into a network, it can cause severe damage within a short amount of time. After it has infected the initial machine in a network, the malware scans the internal network for open SMB shares with a specific name. The threat relies on a post-exploitation tool to harvest credentials, but it also includes a hardcoded list of usernames and passwords. It does not utilize the EternalBlue exploit used in WannaCry and NotPetya, requires user interaction, and in general does not seem as widespread as NotPetya or Wannacry.
Whilst the effects of Bad Rabbit can be pretty bad due to the previously mentioned encrypted PC and server file tables, the prevention systems typically deployed in an organization are now largely able to detect the malware before a successful attack can occur. Similarly, the websites used for distribution of the variant have largely been updated, reducing the likelihood of infections.
Here are a few tips on how to improve protection against ransomware:
• Remove local administrator access rights from PCs and servers, to prevent users from inadvertently installing the malware.• Update antivirus solutions with the latest signature aimed at protecting against this version of the ransomware. If you have this service provided through NNIT, this has already been done.• Inform employees about the situation and advise them to use caution if visiting websites that prompt them to install Flashplayer• Raise security awareness across the organization regarding online security• Implement access control on network drives to reduce the likelihood of a single infected user PC causing widespread disruption across the business’s network drives• Implement standard system patching processes to ensure that all systems, software, PCs and servers are patched for known vulnerabilities.
It is difficult to avoid getting hit by any kind of malware at some point, and therefore effective incident response is crucial to ensure fast reaction by the organization in the event of an outbreak. In order to minimize the impact to the business following such an event, include the following mitigating actions:
• Develop a specific security incident response process for ransomware incidents to ensure a step-by-step response is in place to quickly respond to and resolve incidents• Review business continuity processes to ensure prompt recovery and / or alternative working arrangements during recovery• Review, update and test system backup and restore processes to ensure that backup files can be promptly restored in the event of an outbreak, minimizing the impact to the business´
John Clayton is an IT Management Consultant and Cybersecurity Specialist with more than 20 years’ experience in IT and Management Consulting, and with roles bridging Business and IT.
NNIT Security Insights is a regular column where prominent NNIT IT security advisors share their thoughts on current and future IT security challenges and how to deal with them.
NNIT’s Cyber Defense Center has the necessary competencies in-house to respond and assist. We have also developed a range of services that can help businesses to achieve the right level of security protection to protect the business from financial and reputational damage.
You are welcome to contact us at firstname.lastname@example.org if you want to know more about how NNIT can help your business increase its security level.