The United State Computer Emergency Readiness Team (US-CERT) has issued a warning against a campaign called Bad Rabbit which seams to be a variant of the Petya ransomware.
”US-CERT discourages individuals and organizations from paying the ransom, as this does not guarantee that access will be restored,” US-CERT stated in an alert. “Using unpatched and unsupported software may increase the risk of proliferation of cyber security threats, such as ransomware.”
Ukraine and Russia appears to be leading target. The affected entities includes Russian media groups Interfax and Fontanka, the Kiev Metro, Odessa International Airport and Ukraine’s Ministry of Infrastructure.
As per Sophos researchers, Bad Rabbit ransomware is distributed through media websites asking users to install fake Adobe Flash.
“Once it infects a computer, the ransomware attempts to move laterally using a list of hardcoded credentials, featuring predictable user names such as root, guest and administrator, and passwords straight out of a worst passwords list,” Sophos’ Bill Brenner wrote. “Another reminder, if one were needed, that all of your passwords need to be strong, even the ones you use behind the safety of a corporate firewall.”
STEALTHbits Technologies vice president of product strategy Gabriel Gumbs mentioned that this ransomware uses open source tool Mimikatz to harvest credentials.
“This could simply be to widen its reach internally for the purpose of further encrypting the files of users with elevated privileges, it may be used to hide inside compromised networks, or the ransom itself could be a decoy from the attack’s real purpose,” Gumbs said. “What we can definitively say today is the only reason you would package Mimikatz with ransomware is for the purpose of further exploiting internal networks — not simply to ransom files.”
VASCO Data Security CISO Christian Vezina mentioned, it’s important to keep in mind that Bad Rabbit uses social engineering tactics to spread. “By teaching your users not to simply click on any link that is presented to them, you may be able to limit your exposure,” he added.
David Zahn, general manager of the cybersecurity business unit at PAS mentioned that it is serious threat to important facilities. “The engineers who manage the industrial control systems that are at the heart of critical infrastructure — namely power generation, oil and gas, and more — are chiefly concerned with maintaining reliability and process safety,” he said. “Ransomware presents a particular risk to both as encrypted systems in a facility can mean loss of view into volatile processes or production disruptions.”
____________________________________________________________________________________________
AlertSec ACCESS is a patent pending technology. It is designed to enforce that devices are encrypted before access to a network is granted.