Bad Rabbit was the third and final big “focused” ransomware attack of 2017 (after WannaCry and NotPetya). It was also the only one of the three that solely relied on users to activate the malicious software; the ransomware spread via drive-by attacks, where it first compromised an insecure (albeit often legitimate) website, then presented itself as a “Flash update” in order to trick users into clicking on it. This was a smart move by the attackers, seeing as Adobe Flash updates happen regularly, and users have likely become accustomed to seeing these alerts appear on their screen. Once the user clicked on the upgrade button, the Bad Rabbit malware executed and elevated its privileges on the user’s device; subsequently, the device would lock and a note would appear demanding that a ransom of $280 in Bitcoin be paid within a 40-hour timeframe. Though Bad Rabbit used a somewhat unconventional path of delivery for a ransomware attack, this isn’t an unusual path for malware delivery in general.
Bad Rabbit didn’t spread as widely as WannaCry or NotPetya, with the majority of incidents being recorded in Russia and Ukraine. However, security researchers have noted similarities to NotPetya, the attack which significantly impacted Ukraine and organisations around the world, including shipping company Maersk and media conglomerate WPP. For example, Bad Rabbit like NotPetya was able to schedule an automatic reboot of an infected system, which would then shut the targeted device down. Users would then be presented with an almost identical splash screen to NotPetya’s, which would direct them to a Tor address which demanded bitcoin in exchange for a decryption key.
Unlike with WannaCry or NotPetya, a software patch wouldn’t have defended systems hit by Bad Rabbit. This attack shows why you can’t rely on technology alone and need to have a layered approach that embraces a mixture of both technical safeguards and end-user cybersecurity training and awareness.
2018 So Far: The Calm Before the Storm?
In terms of cybercrime, 2018 has been almost suspiciously quiet so far. Of course, it is still very early days; most would probably agree that the biggest single incident so far this year was the cyberattack on the Winter Olympics just before the opening ceremony in South Korea. The official Winter Olympics website was taken offline, and TV and internet systems were also disrupted; operations were not restored for twelve hours. This attack certainly got a lot of coverage and visibility because of what it was, but, in comparison to the attacks of 2017, the damage was minimal.
There has been buzz around the Meltdown and Spectre security flaws, which may impact assets across the technology landscape – PCs, mobile devices, cloud, even IoT devices. The vulnerabilities are serious, and there are no simple steps for mediation. Too often, technology poses the problem, and then we rely on technology for the solution. At the end of day, no one is likely safe from Meltdown or Spectre. The one consistent theme in all of this is that, in every interaction, computer and email users need to practice care and caution, because they are indeed the very last line of defence. When technology fails, users don’t need to fail, too. Their awareness, their behaviour, and their choices can save a game that, if we rely only and solely on technology, may be lost.
I think it’s clear that this generally quiet period — if you can call it that — won’t last long. The growth of cybercrime over the past few years is unlikely to just drop off. For example, Wombat Security’s 2018 State of the Phish™ Report found that 76% of organisations experienced phishing attacks in 2017. In addition, organisations are reporting more security impacts stemming from email-based social engineering. Forty-nine percent of infosec professionals surveyed for Wombat’s report said their organisations suffered a malware infection as a result of being phished, an increase of more than 80% from 2016. It’s clear that phishing remained a very dangerous attack vector in 2017, and organisations should not expect 2018 to be any different.
Even more worrying is that we may see attacks that exploit users getting more and more successful in the next few decades, as Wombat’s research found that Millenials are less able to recognise phishing attacks than their older Baby Boomer colleagues. In a third-party survey of more than 3,000 technology users, 72% of individuals aged 55 and older were able to accurately define phishing, versus only 61% of respondents aged 18 to 29. As attacks scale in sophistication, whilst targeting a more vulnerable workplace, the risks increase exponentially.
Future-Proofing: Fortify Your Users with Knowledge
In addition to phishing issues and impacts, the State of the Phish Report also looked at the way organisations are handling anti-phishing training. For example, results showed that 88% of US businesses and 58% of UK businesses use computer-based online security awareness training to educate their users. Organisations certainly should be actively training their employees to spot the increasingly sophisticated phishing emails that lure people into clicking on links or opening files that result in malware entering a system. But users should also be trained to look “beyond the phish”.
Bad Rabbit is a great example of why organisations need to consider attack vectors — and end-user risks — outside of email. Employees should be taught to avoid running any updates or virus scans via a random pop-up. Cybercriminals have been exploiting user behaviours in this way for some time, and perhaps it is infosec teams’ emphasis on keeping software up-to-date that allows these attacks to succeed so frequently. Thus, infosec professionals may have made their own bed. As a parallel activity to addressing vulnerability management, those professionals should also focus on the potential education or re-education their users will need to separate wheat from chaff, to learn to discern a real update request from a dangerous one.
The sad fact of browsing the web in general is that dangers lurk practically around every virtual corner. From fake websites to malware-laden pop-up windows, the internet is an incredibly hazardous place for an untrained user. And if users are “risky-surfing” at work, it’s not just individual devices but the entire organisation that could be put at risk. In addition to avoiding suspicious pop-ups, I suggest taking these steps to help end users improve their online safety (both at work and in their personal lives):
Help them understand browser security features – Automatic browser updates should be enabled within organisations whenever possible; when not possible, IT teams should actively monitor for updates and instruct users to apply those when available (and advise them to do the same on their home devices).However, users should also be taught about strong security settings, which don’t happen by default. Different browsers offer different safeguards, and it’s a good idea for users to understand how their browsers implement security features. Rather than hoping that your users take the initiative to do their own research, offer your advice on the settings they should choose at home, and explain the settings that are enabled on their work devices (and why those settings should never be changed). In particular, users should be taught about the dangers of convenience features like auto-complete and password storage, which can make logins quick and easy, but can considerably weaken security on individual devices.
Stress the dangers associated with pirated content – It’s become quite mainstream for technology users to discuss available avenues for sourcing premium content for free (e.g., places to illegally download TV shows and movies if they are hard to find — or expensive to purchase — via legal channels). Because so many people are doing this, the average person could be lulled into believing that there’re aren’t real risks associated with these activities. Education is key to better protecting not only your users, but your organisation’s devices (which — unfortunately — employees are using for many personal pursuits, including streaming media). Your employees should be taught that, even though a plethora of sources distribute pirated content, these sites are not only illegal, they also carry a high level of cyber risk. It’s important that users recognise that hackers know how tempting free access to premium content can be, and that they often create files with embedded malware and load them into popular sites.
While 2018 may not see another attack of WannaCry or NotPetya scale, global events are far from the only concern that infosec teams are facing. Organisations need to think locally first and ensure that cyber defences and policies are as strong as possible and that end users are properly prepared to identify social engineering and other people-focused attacks. Like it or not, employees are the last line of defence against attacks that evade technical barriers. Ignoring this could leave your organisation more vulnerable and more likely to be the next victim making headlines.
Alan Levine, Security Advisor at Wombat Security Technologies
Image Credit: WK1003Mike / Shutterstock