... Skip to main content

BadRabbit: The Latest Ransomware Creation

The Internet is a powerful and sometimes scary tool that harbors education and mystery, while providing users anonymity for a price.  Yes, the Internet may appear as a place for positive recreation and relaxation; however it also contains many dangers, such as ransomware, that can easily destroy computer systems.

What is Ransomware and why does it exist?

Ransomware is a computer virus that hijacks computer systems and demands for users to pay a hefty ransome in order to retrieve their data.  Ransomware can be sent through suspicious email attachments and links that people click and download the infection onto their computers.  First plaguing the Internet in 1989, ransomware appeared in the form of AIDS Trojan, a virus attacking personal computer systems.  Individuals who encountered this ransomware were forced to pay a ransom $189USD.  A plague growing exponentially in the decades continues to make strides with the latest ransomware installment, BadRabbit.

Fast forward

Almost 3 decades later, cybercrime has become a large and profitable enterprise. It’s arguably the easiest business to get into online today. The barriers to entry, in a business sense, are lower than ever before. A veritable treasure trove of tools and instructions is available to anyone with an internet connection. It’s no wonder that 16 year olds can mount massive extortion campaigns from their parents’ basements. The statistics are also very discouraging. Extortion schemes tend to have a reasonable return on investment. Even a 0.1% hit rate is profitable, given that how cheaply one can implement a campaign to target millions of computers. The proliferation of cheap access to the internet, combined with free search and archival technology, and expedited cycles of software releases have created an environment where information can be easily accessed through computing endpoints that run software that has not been thoroughly tested or secured. The fast moving software market does not allow for slow and thorough testing for security.

There are many ways in which to extort businesses and individuals. The latest fashion is to encrypt the victim’s hard drive, or somehow lock their computer and change their passwords, and then hold them to a ransom. Payments are usually expected in the form of anonymous crypto currencies, which makes tracking the criminals a monumental task at best, if not impossible on average. Storing one’s assets in cloud-based services isn’t a safe bet either – the hijacking software can spy on your keystrokes and see which sites you log into, and then take over those accounts as well. Most of the time, you may not even know you have malware on your computer, as it may be waiting to be activated in a campaign, either against you or against someone else (effectively using you as a pawn in the extortion scheme).

Rabbits and funny names

Hackers and cyber criminals have a penchant for giving their wares weird and lethally funny names, such as “WannaCry” and “Blaster”. The latest one, BadRabbit, joins NotPetya and WannaCry in the malicious ransomware family.  Developed in early July 2017 and launched in October 2017, BadRabbit is the third latest form of ransomware that is distributed through a drive-by download method in which victims click on a contaminated pop-up on a website, or download an infected attachment, and inadvertently download the ransomware onto their computer.  Once successfully tricking the victims, BadRabbit seizes control of their computer system and demands each downloader to pay a ransom of .05 Bitcoins (nearly $275USD) in order to regain access to their files.  Displaying similar attack tactics to ransomware NotPetya, BadRabbit is currently infecting large corporate networks in the Ukraine, Russia, and other Eastern European countries.

Unyielding presence; Continuously growing.

Ransomware developers are ruthless and relentless.  More importantly, they are not going away anytime soon.  The economics of ransomware justify the risk for most authors.  CTO at Pathway Communications, Akshay Kalle, contends that it is easy for anyone to make ransomware, in fact, the demand is so high that Ransomware as a Service (RaaS) websites have begun to gain momentum, thereby allowing authors to sell their ransomware programs to cyber criminals for a far lower fee than developing a custom payload would cost.  This new, lower barrier to entry, along with the anonymous nature of the Internet, allows virtually anyone to create false identities and distribute hazardous files, create and launch campaigns, and obtain premium criminal services for competitive rates.  It’s inevitable that more attacks will not only occur and more ransomware will develop, but that the trend will accelerate.  Because of the simplicity and anonymity the Internet provides users, the trend will also continue to grow and expand worldwide, creating a global cyber-pandemic and a tipping point in terms of how we manage information as a society.

Who’s going to stop the spread of Ransomware?

Internet providers (ISPs) give you access to the Internet. However, the onus to prevent ransomware infections lies not with the service providers, but with the Internet – us.  Everyone from Network Administrators to office and home users must take the initiative to protect themselves against such malicious ransomware.  Kalle urges everyone to shift their mindset and adopt a proactive outlook toward Internet safety; one which assumes failure.  It’s really a combined matter of both prevention and responsiveness. Most firms and individuals focus only on the former, assuming that they will never be compromised. This thinking, Kalle contends, is where the shift in thinking needs to occur.  Response to inevitable breaches is crucial to both corporate and personal safety, as this will limit the actual value Ransomware holds to the authors and distributors.  Imagine if a Ransomware program like WannaCry circulated and infected millions of machines worldwide, but not a single penny was actually paid to the author. In this case, there would be no incentive to introduce another variant of the software.

Kalle encourages the use of analogical thinking to make his point. “It’s worthwhile noting that getting a driver’s license requires a series of tests, as well as insurance – it’s simply the law. However, there’s no law mandating the use of preventative or responsive measures (once an accident happens) for pretty much anything relating to the Internet.  There’s no equivalent of speed limits, driving rules, mandatory airbags or seatbelts, or fines and jail terms when it relates to whether one is protecting oneself online.”  There are laws outlining how one shouldn’t harm others, but enforcement is made difficult because identifying the offenders is a challenge.  “There may come a tipping point when the scale of economic damage is so large that governments will step in and mandate preventative and responsive measures. Until that point, it’s really up to us to take charge of our own best interests.  In other words, we have to drive defensively in cars that we know are safe, tested and certified, and always carry a safety kit.”

Education isn’t easy: there’s a barrage of sometimes-conflicting advice on what to do to protect oneself and corporations from harm. It’s very easy to become disappointed and discouraged by the overwhelming amount of advice and intimidating terminology out there. The good news is that dealing with these types of threats is possible with common sense and analogical thinking.

What steps should corporate networks take protect themselves from ransomware?

Kalle recommends all corporations take the “detect & prevent” approach.

  1. Perimeter: Have the most updated firewall definitions and even upgrade to a Next Generation Firewall (NGF) to prevent a malicious payload from entering your network.
  2. LAN layer: Look for anomalies in network behavior. It’s important to detect data leakage as much as it’s important to detect malicious inbound traffic. Corporate leaks have crippled even publicly traded companies.
  3. Server & Endpoint Layer: Install DLP tools, antivirus and anti-malware, automated patch policy, and encryption are important for overall safe Internet use.
  4. Data Security Layer: Ensure you have a comprehensive backup policy and follow the 3 – 2 – 1 rule of data backups (3 copies of files, 2 local and 1 offsite).
  5. Follow a 3P approach: People, Processes and Parts. Don’t focus just on the parts and assume that the best gear will save you. The fanciest countermeasures can be defeated by poor compliance with corporate policies, not validating and actually testing policy locks and backups, and not training the end users.

What can home users do to defend themselves from ransomware?

  1. Back up your data.
  2. Install the latest version of anti-virus software on your computer.
  3. Never pay requested ransoms.
  4. Do not open suspicious emails and attachments.
  5. Think like a corporation and follow similar guidelines.

Ransomware will never go away until it’s unprofitable; and newer, more devious variants will constantly put us all at risk.  The wind needs to be taken out of the sails. It is up to each of us to be our own advocate and protect ourselves from malware.  Stay up to date on latest cyber trends and developments and always make sure your computer system has the most updated security protection software.  You are worth the time and investment.  Educating yourself and taking these necessary steps will bring you one step closer to inoculating ourselves against the likes of ransomware and defeating an entire criminal economy.