A wave of Bad Rabbit ransomware attacks have been taking place across Europe since Tuesday, 24 October. The ransomware appeared first in Russia, but has since spread to Turkey, German and the Ukraine. Initial attacks were carried out on Ukraine Ministry of Infrastructure and Kiev Public Transport System. The attack is targeted towards corporate networks, with a notable focus on media outlets. Russian media outlets such as Interfax and Fontanka.ru were hit by the ransomware.
Computers infected with the malware direct users to a TOR (The Onion Router) domain where they are asked to pay .05 bitcoin (around €240) in exchange for the return of their data. A countdown is initiated that will cause the ransom price to increase if the payment is not made. It has not yet been confirmed whether the Bad Rabbit actually collects the ransom and decrypts the data.
Pat Moran, PwC Cyber Leader said: "Bad Rabbit, which remains undetected by the majority of anti-virus programs, is similar to the Petya attack carried out earlier this year. However, unlike Petya, Bad Rabbit is not a wiper. It is a drive-by attack which requires the victim to download a fake Adobe Flash installer from an infected website and manually launch the .exe file. To operate correctly, it needs elevated administrative privileges which it attempts to obtain using the standard User Account Control (UAC) to prompt a user for administrator credentials. It is not yet known whether it is possible to get back files that have been encrypted by Bad Rabbit. "
"Bad Rabbit, which remains undetected by the majority of anti-virus programs, is similar to the Petya attack carried out earlier this year."
Leonard McAuliffe, Director, PwC Cyber Practice, said "Ransomware is an increasingly prevalent threat, with a rising number of variants designed to target corporate networks. In spite of this scourge, there are many pragmatic steps which organisations can take to reduce the likelihood of incidents, limit their impact when one does occur, and to recover swiftly and effectively. "
These span several aspects of IT operations and security and primarily relate to:
Preventing ransomware entering your IT environment through the most common delivery vector, phishing, by enforcing strong controls at your email gateways and network perimeters, and developing vigilant employees through robust awareness campaigns. With regard to Bad Rabbit specifically, you should always ensure that end user accounts do not have administrator privileges to install software downloaded from websites. You should also ensure that nefarious websites which may be compromised with malware are blocked to reduce the risk exposure.
Ensuring that individual user systems and key servers can be restored rapidly from backups, and that the frequency of backups aligns to the timeframe of data your organisation is prepared to lose in the event of any system being rendered unusable.
Ensuring that there are formal procedures in which employees and those responsible for the management of high priority incidents are well versed to streamline the organisation’s reaction to ransomware events and its ability to restore service to employees and customers; and,
The vulnerabilities exploited in this attack have already been addressed via Microsoft ‘critical’ patches released in March, as well as this week, and a robust vulnerability management programme will help reduce the likelihood of exploitation.
At PwC, our purpose is to build trust in society and solve important problems. We’re a network of firms in 157 countries with more than 223,000 people who are committed to delivering quality in assurance, advisory and tax services. Find out more and tell us what matters to you by visiting us at www.pwc.com.
PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.
©2017 PwC. All rights reserved