BadRabbit: Is Three the Magic Number, or is this The New Normal?
Did you know that the damages from Ransomware are expected to be more than $5 billion by the year 2020? This is not just the cost of paying the ransom itself, but also the price of destruction and loss of data, the downtime involved getting systems back online, and the disruption to the business which happens in the case of an attack. There are costs associated with employee training, as well as harm to the company reputation.
You might think that this is a far-off threat, but a company is hit by ransomware every 40 seconds, and the number of threats tripled last year alone. What used to be someone else’s backyard, is now firmly knocking at our own front doors.
What’s the Latest Threat?
This last year has seen two large scale ransomware attacks, WannaCry and Petya. And now the media has lit up with news of a third: BadRabbit. The three have plenty in common, in fact, BadRabbit and Petya share 67% of the same code, and the ransom note for BadRabbit looks almost frighteningly similar to that of Petya as well. Days after the attacks first spread, experts at Cisco have now released information that both attacks used the leaked NSA EternalRomance exploit, using that vulnerability to spread across networks, albeit in a modified way to how Petya did.
But the real talking point, is that all three can spread across a network without user interaction to speak of. All it takes is one person’s device to be infected, and the virus will take on a life of its own, propagating across a network, scanning for open SMB shares, and harvesting credentials.
In the case of BadRabbit, the malware started spreading across Europe on Tuesday October 24, 2017. In a style coined “drive-by download”, users were asked to update their Flash player, on legitimate websites, which unknown to them had been compromised. As soon as they did, the malware was injected onto their computers, and their files were encrypted, unable to use. More than 200 victims have reported the malware, and are being asked for 0.05 bitcoin, (around $290) to release their files. As always, it’s unlikely that paying the ransom will help, although this does not appear to be a ‘wiper’ piece of malware, which destroys files maliciously regardless of payment.
Targets so far seem to be specific corporate victims, and currently are local to Russia, The Ukraine, Bulgaria and Turkey. Notable victims are Russian media giants- Interfax, as well as Odessa International Airport and the Kiev Metro system.
A Shocking New Normal
These three attacks, so close to one another may uncover a frightening ‘new normal’ for businesses and individuals alike. The way that these viruses can propagate across a network means that no one is safe, even if you are cautious with your internet activity. Being cautious online can only help you so far when we are all linked together by various network connections.
And the threat is only increasing. Most experts believe that the speed of the growth in ransomware comes from RaaS (Ransomware as a Service), effectively making cybercrime available to anyone, some criminals are in it for the money, literally selling their wares to the highest bidders. Many pieces of malware are open source, or free to download and then the author takes a cut from the ransom received when implemented.
Other factors contributing to the popularity of Ransomware include the untraceability of bitcoin as form of payment, as well as anonymity tools such as TOR (The Onion Router) used for Petya and BadRabbit. They make it much less likely anyone will get caught, giving anyone with malicious intent and a piece of harmful code an unprecedented amount of confidence.
What Can Be Done?
The problem with most antivirus solutions is that they can only protect against threats which are known, and can be recognized. Take a look at BadRabbit, it took days before experts at Cisco and Kaspersky even recognized that the authors were using the EternalRomance exploit, as it had been modified slightly. Any old threat can come in a new disguise.
Obviously, education is important. Firstly, make sure that all critical security updates are downloaded on your device. and Employees should understand that all downloads should be from the original source, and they need to be especially careful about any email links or pop ups, even from a reputable website which they use often.
In terms of antivirus protection, businesses should look for a solution which scans incoming and outgoing traffic in real-time, blocking anything suspicious before it has a chance to do any harm. A solution with Application Privilege Control can help you block access to certain files associated with this kind of attack, such as perfc.dat, which was linked to these attacks. A network-based security solution would be your best bet here. And if you need protection for mobile employees (which is probably the case), look for local end-point security on top of the network-based first line of defence.
Antivirus must-haves in 2017 have moved from responsive to pre-emptive. The exponential rise of RaaS and the intricacies of network connectivity around the globe mean that we don’t know what’s around the corner in terms of ransomware. Bottom line? We need to ensure that our security solutions are ready for anything.