Organizations in Russia and Ukraine were under siege Tuesday from Bad Rabbit, a strain of ransomware with similarities to NotPetya. By evening, the outbreak was reportedly spreading into Europe, including Turkey and Germany. Victims so far include airports, train stations and news agencies.
Russia’s Interfax news agency reported on Twitter that the outbreak had felled some of its servers, forcing Interfax to rely on its Facebook account to deliver news.
Starts with social engineering
Bad Rabbit appears to be spreading via hacked Russian media websites, displaying fake Adobe Flash install boxes. The malware may be spreading through other means as well, though at this point it appears user interaction is required.
Once it infects a computer, the ransomware engages in brute-force tactics to unlock passwords and spread laterally.
From there, it behaves like standard ransomware, encrypting files and demanding ransom in order for the victim to get back their files. Victim’s are greeted with the following message:
Oops! Your files have been encrypted.
If you see this text, your files are no longer accessible. You Might have been looking for a way to recover your files. Don’t waste your time. No one will be able to recover them without our decryption service.
We guarantee that you can recover all your files safely. All you need to do is submit the payment and get the decryption password.
Visit our web service at [redacted]
Shades of NotPetya
Bad Rabbit’s spread so far resembled that of NotPetya, which circled the globe in June after erupting in Ukraine. That ransomware’s victims included nuclear power plants.
Various news outlets have reported that Bad Rabbit uses the same password-stealing and spreading mechanism as NotPetya, allowing it to traverse an enterprise in short order.
Defensive measures
Sophos currently detects Bad Rabbit as Troj/Ransom-ERK. CryptoGuard in Intercept X blocks the ransomware, and our cloud protection is already available for the core payload. Sophos Sandstorm also blocks it, as does WipeGuard.
Fake flash installers only work as a social engineering tactic if you use or want Flash. Our advice? If you’re using Flash, stop. By removing Flash entirely you can protect yourself from Flash zero-day bugs and the temptation to download fake updates.
Recent high profile ranomsware outbreaks NotPetya and WannaCry exploited a vulnerability for which patches were available. They only spread because those patches had not been applied – always run the latest updates for your applications and operating system.
Your last line of defense against ransomware is backups, so backup regularly and keep a recent copy off-site. There are dozens of ways other than ransomware that files can suddenly vanish, such as fire, flood, theft, a dropped laptop or even an accidental delete. Encrypt your backup and you won’t have to worry about the backup device falling into the wrong hands.
For more information about ransomware read How to stay protected against ransomware, or listen to our Techknow podcast. Home users, register for the free Sophos Home Premium Beta, which protects against ransomware by blocking the unauthorized encryption of files and sectors on your hard disk.
from Naked Security http://ift.tt/2gzFe9h
No comments:
Post a Comment