Detecting Bad Rabbit Ransomware

save
Share and earn Cybytes
Facebook Twitter Google+ LinkedIn Email

A new ransomware dubbed Bad Rabbit has hit several targets and began spreading across Russia and Eastern Europe on Tuesday, October 24, 2017. The ransomware exploits the same vulnerabilities exploited by the WannaCry and Petya ransomware that wreaked havoc in the past few months. As new versions of ransomware using Shadow Brokers exploits run wild, Tenable.io Vulnerability Management (VM) users are equipped with tools to stay ahead of the game and reduce your overall Cyber Exposure risk.  

What is Bad Rabbit and what does it do?

According to early reports, Bad Rabbit Ransomware uses a fake Flash update to lure unsuspecting users into installing the ransomware, resulting in the encryption of their data. Whether the attackers honor the payment or just keep asking for more money, the best approach is to patch your systems today and avoid the issue altogether.

Closing the Cyber Exposure Gap

Tenable.io users are ahead of the game. By using active scanning and agent-based scanning, customers will be able to easily identify the vulnerable assets across the exposed attack surface. Existing Petya and WannaCry plugins will display systems that are vulnerable to MS17-010, and these assets should be patched immediately.

Tenable.io™ Vulnerability Management has the following two plugins, released earlier this year, to detect vulnerable systems:

  • 97737 – MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks) (Petya)
  • 97833 – MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks) (Petya) (uncredentialed check)

Malware Scanning to Close the Gap

The Cyber Exposure Gap is ever expanding as new assets connect to the network, and vulnerability scanning will not cover all aspects of the modern attack surface. Scanning using the Malware plugins such as Malicious Process Detection (59275) and others, you can better detect and eliminate cyber risks across all assets. Other plugins that are useful to enable during scanning are:

  • Web Site Hosting Malicious Binaries (71024)
  • Linux Malicious Process Detection (71261)
  • Mac OS X Malicious Process Detection (71263)
  • Malicious File Detection (88961)

In the image below, we can see the result of a scan of a system with running processes that are considered malware. These systems should be quarantined and analysed forensically to ensure that compromise has not occurred.

Bad Rabbit scan result Tenable.io

How to find Assets

As part of the Cyber Exposure lifecycle, you will need to assess and analyze assets to understand and ultimately mitigate your cyber risk.  You can use the VM Vulnerabilities workbench in Tenable.io to close in on vulnerabilities and reduce your Cyber Exposure gap. To use the workbench, you will need to create an advanced search and apply the following filters:  

Bad Rabbit advanced search Tenable.io

After you apply the search, you will see the affected assets and you can take the first steps in mitigating your cyber risk.  

Bad Rabbit Tenable.io workbench

As your modern attack surface changes, you must set up vulnerability scanning to collect data using active scanning and agent scanning. This assessment process allows you to detect changes in the network and establish the state of your network against your previously defined baseline. A good baseline tracks indicators such as hardening standards, known assets and the locations of critical assets. The next step in the Cyber Exposure lifecycle is to analyze. Tenable.io allows you to put assets in the correct context to better understand and establish the priority of mitigation efforts. If the WannaCry or Petya vulnerabilities are still in your network, assets with these vulnerabilities need to be moved to the top of your priority list.  

Wrap up

Most ransomware exploits well-known vulnerabilities that already have patches available. Implementing a proactive security program that includes regular patching and system updating is one of the best strategies you can use to prevent malware from infecting your systems. Make it a regular habit to patch and protect your assets.

For more information

  • Learn more about Tenable.io, the first vulnerability management platform for all modern assets
  • Get a free 60-day trial of Tenable.io

Many thanks to the Tenable research team for their contributions to this blog.

Share this post and earn Cybytes
Facebook Twitter Google+ LinkedIn Email
Follow
1592 Followers
About Tenable
Tenable™, Inc. is the Cyber Exposure company. Over 24,000 organizations of all sizes around the globe rely on Tenable to manage and measure their modern attack surface to accurately understand and reduce cyber risk. As the creator of Nessus®, Tenable built its platform from the ground up to deeply understand assets, networks and vulnerabilities, extending this knowledge and expertise into Tenable.io™ to deliver the world’s first platform to provide live visibility into any asset on any computing platform. Tenable customers include over 50 percent of the Fortune 500, large government agencies and organizations across the private and public sectors. Learn more at tenable.com.
Promoted Content
Five Steps to Building a Successful Vulnerability Management Program
Is your vulnerability management program struggling? Despite proven technology solutions and the best efforts of IT teams, unresolved vulnerabilities remain an ongoing source of friction and frustration in many organizations. Regardless of how many vulnerabilities are fixed, there will always be vulnerabilities that can’t easily be remediated – and too often, finger-pointing between IT teams and business groups can ensue.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel