On October 24, reports of a new ransomware strain named Bad Rabbit emerged and evidence suggests it is causing disruption in Europe and around the world. The attack represents the third major ransomware campaign of 2017 and is thought to be a variant of WannaCry, which put ransomware on the radar of most organizations worldwide.
According to an explanatory piece by Danny Palmer in ZDNet, so far, Bad Rabbit isn’t very widespread, infecting approximately 200 targets thus far. While not as large as the WannaCry and Petya attacks earlier this year, the attack has succeeded in spreading from Europe to Korea, and shutting down operations of some victims. If it is confirmed to be a variant of WannaCry, it also represents something else - the continued re-use of existing malware for new attacks.
For public and private sector organizations, Bad Rabbit is another proof point that nation-state attacks or targeted ransomware attacks don't have to be sophisticated or new to be effective.
For example, evidence suggests:
- Bad Rabbit does not employ any exploits; instead, it relies on user cooperation to install. Bad Rabbit propagates via brute-force login attempts
- Many IDS/IPS, NGFW already detect this attack. It’s critical that all security analysts update their defenses ASAP
- While security analysts are being bombarded with sophisticated attacks, they’re also grappling with low-cost exploits like Bad Rabbit that attackers can easily get their hands on
A large part of getting better at ransomware prevention is focusing more on the fundamentals. Take a step back and ask yourself, how well is your organization instrumented to do the basics:
- Assess overall security posture assessment
- Efficiently investigate with the right amount of context to verify threats
- Respond appropriately, quickly and effectively
- Detecting, responding managing to suit your business need
What it means
This attack highlights the need for basic security hygiene, security monitoring and incident management.
At its heart, ransomware is a data availability issue. Companies need to understand which data and systems are most critical and use a risk-based approach.
- Segment your networks
- Create and test backups
- Patch for vulnerabilities
- Use multi-factor auth when feasible
- Demand automation/integration capabilities from your security vendors
To the security tech community
It’s important for security vendors to work together under a unified defense to thwart bad actors and ransomware attacks such as Bad Rabbit. Customers have invested billions in security technology. The security tech industry should work together to bring value to the customers. That’s why Splunk created the Adaptive Response Initiative to give our customers actionable threat intelligence as soon as new threats propagate.
How can you defend your organization?
In addition to following basic security hygiene best practices and collaborating with peers in the industry, Splunk can be used to help defend against all forms of ransomware. This includes providing early warning of infection, using some general prevention and detection techniques.
You can get going right away:
- If you use Splunk Enterprise Security, download the ES Content Updates. It has analytics to detect, investigate, and respond to Ransomware attacks - its free.
- If you use Splunk Enterprise, you can use Splunk Security Essentials for Ransomware - its free
- If you don’t use Splunk… seriously? Download Splunk Enterprise, free trial, and install the Splunk Security Essentials for Ransomware
The Splunk security research team and field security teams are available for you 24x7. We invite you to contact us directly via firstname.lastname@example.org. If you want a more formal mechanism, contact your Splunk account team, reach out to us to learn more about Splunk Insights for Ransomware. If you’re ready to try some hands-on techniques now, then visit our Online Demo Experience to practice fighting ransomware in a sandbox with guided exercises in “real threat” scenarios.