Yesterday, a ransomware outbreak called Bad Rabbit was unleashed that infected victims throughout Russia, Ukraine, Bulgaria, and Turkey. This ransomware functions in a similar way as NotPetya/Petya in the sense that it encrypts your files and then encrypts your file system, which leaves you with a ransom lock screen that is displayed before Windows starts.
With the new day, reports of new victims continue to surface including some of Russia's banks.
Though the USA and other western countries were not specifically targeted by this campaign, according to cybersecurity and antivirus vendor Avast, Bad Rabbit has now been detected in the USA.
#BadRabbit now detected in the U.S. We expect a growing number of detections in the hours ahead.— Avast Software (@avast_antivirus) October 24, 2017
Avast Threat Intel lead Jakub Kroustek told BleepingComputer that while the victims were much more prevalent in Russia, they did detect some in the U.S.A. According to Jakub, the breakdown:
|Country||Percentage of Victims|
It is important to remember that Bad Rabbit attempts to spread laterally through an organization's network via SMB. It does this with account information stolen from the victim using Mimikatz or by trying an embedded list of common account names and passwords.
Theoretically, if a U.S. organization had infected partners in the targeted regions and were on the same WAN with SMB access, Bad Rabbit could have spread laterally to the computers located in the USA.
While this outbreak has a much smaller scale compared to other ransomware outbreaks, system administrators should be prepared for it and other attacks like it. If you are concerned that Bad Rabbit may be coming your way, here are some suggestions that can help protect your servers and computers.
First, you can vaccinate a computer against Bad Rabbit, by performing the following steps. I am not sure who originally developed this method as I know many people reported on this information, but I personally saw it here & here.
The computer will now be vaccinated against Bad Rabbit.
Microsoft released a threat bulletin related to Bad Rabbit, which they call Ransom:Win32/Tibbar.A. In this article they state that Windows Defender can detect the ransomware using detections update 126.96.36.199 and higher. So make sure you install the latest Defender updates if you have not already.
They also discuss that since Bad Rabbit will clear the event logs and create various scheduled tasks under the names Drogon, Rhaegal, and Viserion, you can monitor the event logs for this type of activity. The events you want to monitor are:
System administrators can attach a scheduled task to these events that will run a specified command if the events are detected. This command could be to send an administrator an email or perform some other type of alert. If these events are detected, they could indicate that the computer has been scheduled for a shutdown and Microsoft suggests that it should be aborted using the shutdown -a command.
US-CERT has released a notice that simply states that they have received reports of the Bad Rabbit ransomware infecting victims in multiple countries. It does not, though, specifically state that any of those victims are in the U.S.A.