How to Detect Badrabbit Ransomware on Your Network
What is Badrabbit Ransomware?
A new strain of ransomware nicknamed “Bad Rabbit” has been found spreading in Russia, Ukraine and Germany. The outbreak bears similarities to the WannaCry and Petya ransomware outbreaks that spread around the world causing widespread disruption earlier this year. This Ransomware encrypts data on infected machines or on network file shares before demanding a payment of 0.05 bitcoin (£250) for the decryption key.
They main way Bad Rabbit spreads has been identified as drive-by downloads on hacked websites. No exploits are used, rather visitors to compromised websites – some of which have been compromised since June – are told that they need to install a Flash update. Of course, this is no Flash update, but a dropper for the malicious install.
Once a user facilitates the initial infection the malware leverages existing methods to propagate around a network without user interaction. This involves leveraging an exploit in the SMB protocol and a hacking tool known as Mimikatz, which is able to obtain passwords from memory on the infected system,
Monitoring File Activity on Your Network
You need to be monitoring file and folder activity before you can detect Ransomware like Badrabbit active on your network. One of the easiest ways to do this is to monitor the network traffic going to and from your network file servers. Most managed switches support SPAN or mirror ports and these allow you to get a copy of the network packets going to and from your file servers.
Once you have your data source in place you can use a tool like our own LANGuardian to extract file and folder metadata from the network packets. Metadata includes things like filenames, actions and usernames. As well as monitoring traffic associated with your file servers we also recommend that you monitor all traffic at your network perimeter. Ransomware needs to communicate with the outside world so having visibility at the network edge is important when it comes to detecting and alerting on Ransomware like Badrabbit. There are specific domains that you need to watch out for which are listed below.
How to detect the presence of Badrabbit Ransomware
- Check your IDS for specific Badrabbit events
- Generate a list of clients accessing suspicious web domains
- An increase in file renames is a sure sign of Ransomware
Checking your IDS
An intrusion detection system (IDS) is a device or software application that monitors a network or systems for malicious activity or policy violations. Most look for certain data strings within network packets which will then trigger an alert. In the case of Badrabbit you need to be watching out for the following emerging treats rules.
- emerging-trojan ET TROJAN BadRabbit Ransomware Activity Via WebDAV (cscc)
- emerging-trojan ET TROJAN BadRabbit Ransomware Activity Via WebDAV (infpub)
- emerging-trojan ET TROJAN BadRabbit Ransomware Payment Onion Domain
If you are using our LANGuardian product, check the report Top Network Events. This is also available in the trial version.
Badrabbit uses a number of domains for command and control services. Check your DNS traffic and/or your web activity logs for any activity associated with these domains. If you detect any activity, remove the client which issued the DNS query or tried to access the domain from your network.
If you are using our LANGuardian product, check the report Network Events (DNS Lookups). This is also available in the trial version.
Watch out for an increase in file renames.
File renames are not a common action when it comes to activity on network file shares. Over the course of a normal day, you may end up with just a handful of renames even if you have hundreds of users on your network. When Ransomware like Badrabbit strikes, it will result in a massive increase in file renames as your data gets encrypted. Note that Badrabbit will use the same file names so there are no file extensions to watch out for.
You can use this behavior to trigger an alert. If the number of renames go above a certain threshold, then you have a potential Ransomware issue. Our recommendation is to base your alert on 4 or more renames per second.
The video below shows how you can setup a LANGuardian trend graph which you can then use to create an alert. It also demonstrates how you can setup a file activity monitoring report which shows any filenames with extensions known to be associated with Ransomware.