October 25, 2017

Threat Advisory: Bad Rabbit Ransomware Update

This is an update to Herjavec Group’s initial Bad Rabbit Ransomware threat advisory.

Additional Bad Rabbit Information


Initial analysis from various AV vendors show that the Bad Rabbit malware it is a variant of the NotPetya sample.

It is not known yet if there is actual code re-use or if the tactics and strings were simply copied from analyzed versions of NotPetya.

The malware has the ability to clear Windows event logs by using the Windows wevtutil command.

One major difference seen in this malware, when being compared to NotPetya, is that the core Petya code is no longer present. Instead, the sample will drop the encryption system driver from the known legitimate DiskCryptor application. This sample will drop the encryption driver onto the local system as cscc.dat and then leverage it to perform disk encryption. The final payment screen is shown over TOR.

McAfee, Symantec, and Carbon Black all have released updated signatures for this ransomware. 

Herjavec Group is proactively monitoring for all systems to ensure our client environments are up to date with the latest releases. 

Proactive Mitigations and Recommendations


Herjavec Group’s Technical Account Managers have been working with Managed Security Services customers to apply additional signatures to clients with endpoint solutions related to the Bad Rabbit Ransomware.

We will seek client approval to deploy signature types and open tickets as required.

Herjavec Group follows best practices in blocking all types of malware from executing (Known, Suspect, and PUP). Additional rules to prevent unknown application types from reading process memory, or unknown applications from launching a command interpreter, will help contain threats capable of spreading via credential theft and lateral movement.

Possible mitigations include not only patching the known exploit, (as referenced in MS17-010), but also using Group Policy to disable local admin shares on systems.

Herjavec Group will continue to monitor activity around the Bad Rabbit Ransomware and publish revised releases accordingly. 

Connect with Us

If the following advisory is applicable to your environment, Herjavec Group recommends your IT team review the technical details included and monitor your environment for any susceptible systems. Herjavec Group’s analysts are working with applicable vendor partners to apply detection and mitigation strategies where appropriate. For Managed Services customers, our Managed Services team will engage with the appropriate technical contacts in your respective organizations directly to provide alerts, escalations, actions and or reports based our service agreement with you. If you have questions or concerns, please engage your Herjavec Group account representative directly or contact Herjavec Group.


About Herjavec Group

Dynamic IT entrepreneur Robert Herjavec founded Herjavec Group in 2003 to provide cybersecurity products and services to enterprise organizations. Herjavec Group delivers SOC 2 Type 2 certified managed security services supported by state-of-the-art, PCI compliant, Security Operations Centers, operated 24/7/365 by certified security professionals. This expertise is coupled with leadership positions across a wide range of functions including consulting, professional services & incident response. Herjavec Group has offices globally including across the United States, the United Kingdom, and Canada. For more information, visit www.herjavecgroup.com.

Stay Informed 

  rhsm-3  Follow us on Twitter

  rhsm-2  Connect with us on LinkedIn

 

*By selecting one of the communications above, you consent to Herjavec Group
 sending commercial electronic messages to you for marketing purposes, including information about the products, services and events selected.