What is Ransomware?
Ransomware is a type of malware that prevents or limits users from accessing their system, either by locking the system's screen or by locking the users' files unless a ransom is paid. After the initial infection, the ransomware attempts to spread to shared storage drives and other accessible systems. More modern ransomware families, collectively categorized as crypto-ransomware, encrypt certain file types on infected systems and forces users to pay the ransom through certain online payment methods to get a decrypt key. If the demands are not met, the system or encrypted data remains unavailable, or data may be deleted.
Bad Rabbit Ransomware
The Bad Rabbit ransomware attack is distributed via drive-by download attacks, using fake Adobe Flash players installer to lure victims' in to install malware unwittingly. Dubbed "Bad Rabbit," is reportedly a new Petya-like targeted ransomware attack against corporate networks, demanding bitcoin payment as ransom from victims to unlock their systems.
Introduction - After the very public Petya-Like attack that occurred in June, a new and remarkably similar ransomware has been observed spreading in the wild throughout Russia, Ukraine, and several other countries. Bad Rabbit, as it is known, was initially spread via drive-by downloads, but also contains the ability to propagate via SMB, as well as encrypting files and preventing an infected system from booting properly.
Impact - Bad Rabbit is a nasty ransomware in that it not only modifies files, but also the underlying filesystem and master boot record (MBR). It will harvest credentials using Mimikatz and attempt brute-force logins to propagate using SMB. Once it is active within an organization it will typically spread successfully and rapidly, rendering the system completely inoperable in the process.
Bad Rabbit Resources
- Bad Rabbit Ransomware Uses NSA’s “EternalRomance” Exploit, Petya Connection Also Found October 27, 2017
- Bad Rabbit Ransomware: What It Is, What to Do October 26, 2017
- Bad Rabbit ransomware attacks computer networks masquerading as Adobe Flash October 25, 2017
- Protecting Yourself from Bad Rabbit Ransomware October 25, 2017
The WannaCry ransomware attack is an ongoing worldwide cyberattack by the WannaCry ransomware cryptoworm which targets computers running the Microsoft Windows operating system, encrypting data and demanding ransom payments in the Bitcoin cryptocurrency.
In the U.S., "the list of victims is very small," a Department of Homeland Security official tells NPR, noting that it's still relatively early in the WannaCry attack. The victims, the official says, range widely in scope, from a few computers at companies and organizations to networks of many more.
"The U.S. is still in a relatively good place — I don't want to jinx it," the department official says. "We don't have a large number of victims right now, and we, for the most part, are not seeing significant operational impacts for those who have been victimized. They've been able to manage through it."
The agency and its partners in the global security community are now in a "sort of cat-and-mouse" competition with hackers, as variants of the software that foil previous solutions emerge, the official says.
- How WannaCry Survives June 16, 2017
- How to Stop and Remediate WannaCry May 18, 2017
- WannaCry: Everything You Need To Know About the Ransomware Sweeping the Globe May 15, 2017
- WannaCry Ransomware: What We Know Monday May 15, 2017
- Microsoft Community: Wanna Cry Ransomware Guidelines to stay safe May 14, 2017
- Alert (TA17-132A) Indicators Associated With WannaCry Ransomware May 12, 2017
- Microsoft: Customer Guidance for WannaCrypt attacks May 12, 2017
Ransomware: One of the fastest growing threats
In a ransomware attack, victims—upon seeing an e-mail addressed to them—will open it and may click on an attachment that appears legitimate, like an invoice or an electronic fax, but which actually contains the malicious ransomware code. Or the e-mail might contain a legitimate-looking URL, but when a victim clicks on it, they are directed to a website that infects their computer with malicious software.
Once the infection is present, the malware begins encrypting files and folders on local drives, any attached drives, backup drives, and potentially other computers on the same network that the victim computer is attached to. Users and organizations are generally not aware they have been infected until they can no longer access their data or until they begin to see computer messages advising them of the attack and demands for a ransom payment in exchange for a decryption key. These messages include instructions on how to pay the ransom, usually with bitcoins because of the anonymity this virtual currency provides.
Protect Your Computers from Ransomware (source: https://www.fbi.gov/news/stories/ransomware-on-the-rise)
- Make sure you have updated antivirus software on your computer.
- Enable automated patches for your operating system and web browser.
- Have strong passwords, and don’t use the same passwords for everything.
- Use a pop-up blocker.
- Only download software—especially free software—from sites you know and trust (malware can also come in downloadable games, file-sharing programs, and customized toolbars).
- Don’t open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited e-mail, even if you think it looks safe. Instead, close out the e-mail and go to the organization’s website directly.
- Use the same precautions on your mobile phone as you would on your computer when using the Internet.
- To prevent the loss of essential files due to a ransomware infection, it’s recommended that individuals and businesses always conduct regular system back-ups and store the backed-up data offline.
What to Do if You become a Victim of Ransomware
- Disconnect the Computer from the Network
Once you suspect a computer might have ransomware on it the first thing you need to to do is take it offline. Pull the ethernet cord, shut off the Wi-Fi and shut off the computer. Some ransomware can spread via network connection, the sooner you disconnect any potentially infected computers the better your chances are of containing the breach.
- Disable Shared Drives
A growing number of ransomware varieties, such as CryptoFortress and Locky, will encrypt network and shared drives connected to the infected computer. If you think you may have a ransomware infection it’s a good idea to take all of your shared drives offline temporarily until you’ve cleaned out your network.
- Update and Run your Security Software
Check for and install any available updates on your security software and run a scan on all of the devices on your network. Ransomware changes pretty rapidly so make sure you have the most current version of your antivirus and anti-malware endpoint protection installed on computers throughout your network.
- Restore from Backup (if possible)
The best way to fix your computer without paying the ransom is to restore it from your backup.