Yesterday, a ransomware outbreak called Bad Rabbit was unleashed that infected victims throughout Russia, Ukraine, Bulgaria, and Turkey. This ransomware functions in a similar way as NotPetya/Petya in the sense that it encrypts your files and then encrypts your file system, which leaves you with a ransom lock screen that is displayed before Windows starts.

With the new day, reports of new victims continue to surface including some of Russia's banks.

Though the USA and other western countries were not specifically targeted by this campaign, according to cybersecurity and antivirus vendor Avast, Bad Rabbit has now been detected in the USA.

Avast Threat Intel lead Jakub Kroustek told BleepingComputer that while the victims were much more prevalent in Russia, they did detect some in the U.S.A.  According to Jakub, the breakdown:

Country Percentage of Victims
Russia 71%
Ukraine 14%
Bulgaria 8%
Turkey 2%
U.S.A. 1%

How did Bad Rabbit make it to the United States?

It is important to remember that Bad Rabbit attempts to spread laterally through an organization's network via SMB. It does this with account information stolen from the victim using Mimikatz or by trying an embedded list of common account names and passwords.

Theoretically, if a U.S. organization had infected partners in the targeted regions and were on the same WAN with SMB access, Bad Rabbit could have spread laterally to the computers located in the USA.

So how can you prepare for Bad Rabbit?

While this outbreak has a much smaller scale compared to other ransomware outbreaks, system administrators should be prepared for it and other attacks like it. If you are concerned that Bad Rabbit may be coming your way, here are some suggestions that can help protect your servers and computers.

Vaccinate a Computer

First, you can vaccinate a computer against Bad Rabbit, by performing the following steps. I am not sure who originally developed this method as I know many people reported on this information, but I personally saw it herehere.

  1. Create a files C:\Windows\infpub.dat & C:\Windows\cscc.dat
  2. Go into the each of the files properties and remove all permissions to both files. When doing this, remove the inheritance so the files do not inherit the perms of the C:\Windows folder.

The computer will now be vaccinated against Bad Rabbit.

Monitor your Event Logs

Microsoft released a threat bulletin related to Bad Rabbit, which they call Ransom:Win32/Tibbar.A. In this article they state that Windows Defender can detect the ransomware using detections update and higher. So make sure you install the latest Defender updates if you have not already.

They also discuss that since Bad Rabbit will clear the event logs and create various scheduled tasks under the names Drogon, Rhaegal, and Viserion, you can monitor the event logs for this type of activity. The events you want to monitor are:

  • Event 1102, which indicates that the audit log has been cleared. 
  • Event 106, which indicates that a scheduled task has been created. 

System administrators can attach a scheduled task to these events that will run a specified command if the events are detected. This command could be to send an administrator an email or perform some other type of alert. If these events are detected, they could indicate that the computer has been scheduled for a shutdown and Microsoft suggests that it should be aborted using the shutdown -a command.

Review US-CERT Notice

US-CERT has released a notice that simply states that they have received reports of the Bad Rabbit ransomware infecting victims in multiple countries. It does not, though, specifically state that any of those victims are in the U.S.A. 

With that said, they do offer links that contain information regarding the WannaCry and Petya infections in order to review suggested steps when dealing with these types of ransomware infections.

Related Articles:

Company Pretends to Decrypt Ransomware But Just Pays Ransom

The Week in Ransomware - December 7th 2018 - WeChat Ransomware, Scammers, & More

Ransomware Infects 100K PCs in China, Demands WeChat Payment

Chinese Police Arrest Dev Behind UNNAMED1989 WeChat Ransomware

Moscow's New Cable Car System Infected with Ransomware the Day After it Opens