On October 24, the latest ransomware outbreak “Bad Rabbit” infected hundreds of computers around the world. This is the third major global cyberattack in six months, joining WannaCry and Petya ransomwares in the world news headlines. Together they have crippled organizations, costing hundreds of millions of dollars in damage.

Fortunately, computers with SparkCognition’s DeepArmor® installed were not affected. In all three ransomware outbreaks, DeepArmor detected the malware on day one, before any harm could be caused.

How Bad Rabbit infiltrated systems

Those that fell victim to Bad Rabbit were lured in by a fake Adobe Flash update served through compromised websites. Upon running the update, the ransomware would drop files onto the system, beginning a chain of events that ultimately displays a ransom note on screens saying that their files were “no longer accessible” and without a decryption service, they wouldn’t be able to recover them.

Bad Rabbit’s ransom note:

Victims are directed to a Tor payment page that demands .05 bitcoin (around $285) within 40 hours. The ransom increases if it isn’t paid before the countdown timer reaches zero.

Bad Rabbit uses built in capabilities to infect systems, making traditional behavior and signature detection difficult. The ransomware utilizes the rundll32.exe to launch functions out of the a file dropped from the initial fake Flash update.

After dropping inpub.dat, Bad Rabbit launches additional processes using the built in rundll32.exe:

This dll attempts to stay covert by using the extension .dat, then drops additional files on the system and creates scheduled tasks to initiate them. ZDnet pointed out Bad Rabbit shares many attributes with the Petya ransomware from June of this year, so it’s likely that the same unidentified group is behind this attack as well.

The Detection Gap Period

When it comes to zero-day threats, the legacy security model is broken, and Bad Rabbit is a perfect example of why. Legacy endpoint protection solutions rely on file reputation (blacklists) and signatures as the bedrock of their detection capabilities. This approach is highly effective at detecting known threats, but what about mutations, polymorphic and zero-day threats like Bad Rabbit?

To illustrate, 45 out of 66 cybersecurity companies on VirusTotal did not mark this sample of Bad Rabbit as malicious, as of 19:46 (UTC) on Oct 24th. Though 53 of the 66 engines were able to detect the sample 24 hours later, the damage had already been done for many customers like the cities of Odessa and Kiev that were compromised during this gap period. In comparison, DeepArmor was able to detect and remediate this particular Bad Rabbit sample using our cognitive detection engine, before file reputation data was available. Our AI-based approach to threat detection enables DeepArmor to eliminate the critical protection gap.

Detection as of 10-24-17, click to see full list:

Detection as of 10-25-2017:

This particular sample of Bad Rabbit is a great example, as only 21 of the 66 engines on VirusTotal detected as of 19:46 (UTC) on Oct 24th, which was more than two days after the file was created. The next day, after coverage of Bad Rabbit hit the media, 53 of the 66 engines were able to detect this sample. Unfortunately, the damage had already been done for many systems in the Ukraine and Russia that were compromised during this detection gap period. In comparison, DeepArmor was able to detect and remediate this particular Bad Rabbit sample using our cognitive detection engine, before file reputation data was available. Our AI-based approach to threat detection enables DeepArmor to eliminate this critical protection gap.

A new approach is needed to keep up with the evolving threat landscape. Static signatures in use with traditional antivirus are only capable of identifying the properties of malware it already knows, it has no capability to correlate a file that does not match its predefined notions of what malware looks and operates like. Artificial intelligence is proving effective in rising to the challenge. AI and machine learning aren’t just buzzwords—they are imperative to mitigating the massive risks associated with the ransomware crisis.

How DeepArmor® detected Bad Rabbit

DeepArmor uses artificial intelligence to create predictive models for what malware looks like, and applies this model to the entirety of a file being scanned, enabling it to detect new variants and zero-day threats without the need for static signatures. This predictive capability is what enabled DeepArmor to identify this ransomware package the moment it was released into the wild.

Below are the alerts a user would have received as this ransomware moved through each step in the kill chain:

The AI component of our product closes the gap between what is known and what is unknown, helping security staff identify new threats immediately. Our management console provides notification when an alert is generated through AI and also uses natural language processing to generate a description of the threat. These unique features highlight the value of cognitive detection and enable a security analyst to make quick decisions.

Lessons Learned

There are two clear lessons to be taken from this news:
1) the onslaught of new and progressively more vicious malware is not halting any time soon
2) artificial intelligence solutions are the most capable tools to protect against future cyber threats

The Bad Rabbit incident is a clear indicator that AI solutions are the most effective at combatting cyber attacks. Just hours after news broke of Bad Rabbit, there were only a few vendors that were able to detect this threat, DeepArmor® among them. Compare the detection rates of companies today to the detection just 24 hours ago—that gap in detection is the difference between safety and loss of data. It’s clear that the path forward to prevent infiltration necessitates a cognitive AI-based solution.

Related Posts