Updated 10/25/17 at 09:51am
Ransomware Alert: BadRabbit is the New NotPetya
A new ransomware attack from the actors behind ExPetr/NotPetya has jumped into the spotlight. The outbreak began in Russia, infecting big Russian media outlets, but it has already spread. Several US and UK firms, with corporate entities in the Ukraine and Russia, have already been infected. An increase of US infections is expected. BadRabbit is currently running wild over Europe, thanks to its close ties to the source region.
The US computer emergency readiness team has released a statement and “discourages individuals and organizations from paying the ransom, as this does not guarantee that access will be restored.”
Several security agencies are reporting that a false Adobe Flash Update is the infection method. Without utilizing exploits, the ‘drive-by’ attack tricks the victim into downloading the fake installer from a convincing website. The victim, assuming it is a legitimate Flash update, then manually launches the .exe file. From there, BadRabbit has a hold of the device and can spread to more devices on the connected network.
There are several recommended steps for stopping the spread of this new ransomware. The first step is to disable WMI Service to prevent the hopping of ransomware throughout your connected networks. It may be inconvenient, but especially if you have offices in the Ukraine or Russia, disabling that connection could be the key to preventing your entire company from being infected.
There is also now a ‘vaccine’ for BadRabbit. The security researcher Amit Serper posted his findings on Twitter.
The tweet reads: “I can confirm – Vaccination for #badrabbit: Create the following files c:\windows\infpub.dat && c:\windows\cscc.dat – remove ALL PERMISSIONS (inheritance) and you are now vaccinated.“
With a software distribution solution, like Syxsense, you can easily deploy this file to every device you manage. Utilizing the simple deployment wizard, you can have a task running in seconds to protect your environment.
Another important step to protect yourself from ransomware is to have a rigorous patching strategy in place. Syxsense ensures the security of your content. We have both Microsoft updates and the industry’s leading library of third-party updates.
We obtain all our content directly from their source and don’t change the code. The update you deploy through our patch manager is the same one you would get directly from the vendor. The difference is we put logic around the update to ensure an accurate deployment.
Ransomware attacks have picked up in the last few months, and will only get more bold and pervasive. Protect your company and environments by implementing Syxsense.
Start a free, 14-day trial of Syxsense, which helps organizations from 50 to 10,000 endpoints monitor and manage their environment, all from just a web browser. An email will be automatically sent to the address you provide.