Ransomware is without doubt one of the most rising threat nowadays, and the latest outbreak proves that all small, medium-sized and large organisations are at risk. At LogPoint our IT and security professionals constantly work on helping our clients withstand attacks like these. When fighting ransomware, planning and forethought are crucial in order fore your organization to limit the impact and quickly recover with minimal disruption. Here at LogPoint, we keep in mind that ransomware variants are constantly changing, so we can always provide the best available solution to fight them.
Bad Rabbit, the latest ransomware attack, has hit several organizations across Russia and Eastern Europe on October 24th. The high profile targets include at least the two Russian Media, Intzerfax and Fontanka.ru, Ukraine’s Ministry of Infrastructure and Kiev’s public transportation system, and are supposedly connected to NotPetya, a family of encrypting ransomware, outbreaking in June, earlier this year.
How does it work?
Bad Rabbit spreads as a fake flash drive on compromised sites, and uses SMB protocol to check hardcoded credentials. A file named "install_flash_player.exe", is downloaded on a host from the affected website. This file needs to be executed manually by the user on order for the malware to take its affect. Once executed, it encrypts the files on the host machine, installs bootloader in Master Boot Record, and schedules a reboot. Thereafter, a ransom note, pretty similar to the one used by Petya/NotPetya is displayed upon reboot and the system does not boot, unless the ransom is payed.
How to spot red flags indicating that your system might have been compromised?
As shown in the example below, various files are created in the process and they can serve as a good indicator of compromise
How to protect your system before it is too late?
- Disable WMI service if possible
- Make sure systems are running up to date with the latest anti-malware
- Maintain good back-ups so that if an infection occurs, you can restore your data
- Clean up Infected systems
- Block the execution of files C:\windows\infpub.dat and C:\Windows\cscc.dat
Minimum Log Source Configuration
Do you want to know more? Please contact us using the form below.
With LogPoint, you will discover a full enterprise SIEM solution.
LogPoint is EAL 3+ certified and the solution is tailored to solve the specific security management challenges of your business - whether the goal is compliance, forensics or operational insight.
And the best part..? We have the most predictable licensing model in the industry.