In October 2017 researchers at Kaspersky discovered a piece of ransomware which they dubbed “Bad Rabbit”. The ransomware was discovered affecting users mostly in Russia, Ukraine, Turkey, and Germany. The ransomware was distributed via a drive-by-download while visiting a legitimate website with the help of a malware dropper.
In summary, the malware is distributed when the user browses legitimate news websites and is then redirected to download a file named install_flash_player.exe from the attacker’s infrastructure. Once the malware is executed by the user it is launched as a DLL. The DLL will then install and launch a malicious EXE that will continue the disk encryption process and display a message to the user and request payment.
While these attacks were once unattributed, recently The National Cyber Security Centre (NCSC) has identified that the GRU — The Main Intelligence Directorate within Russia was behind these attacks. The GRU also known as APT28 and Fancy Bear, have been recently attributed to coordinated attacks against Poland, transportation attacks against Ukraine and in general this group tries to destabilize governments and economies of their perceived enemies.
As ransomware attacks have almost become commonplace, in this instance, the attack occurs with a fair amount of user interaction. The attack here can only occur when 1st the user must navigate to a legitimate website. 2nd the user must click the fake Adobe Flash installer. These two elements on their own can be combated by a combination of approaches such as implementing web filtering proxies on your network and with an appropriate user awareness training program. In addition, a 3rd approach is an appropriate threat intelligence program that educates network and security teams to the current or specific threats to your company or industry. In this case, the GRU has been known to implement flash based attacks in the past and target Ukraine and the transportation industry.
If you are interested in learning about how to combat these attacks, implement a security awareness training program or learn about ways to protect your network, contact Hexcapes, we can create custom training to protect your corporation and use your internal resources to prevent breaches now and in the future.