The following information was obtained from the different cyber security sources for notification to all parties concerned pursuant to the mandate of the Philippine National Police Anti-Cybercrime Group (PNP ACG).

            The information provided was classified as Restricted pursuant to the PNP Regulation 200-012 on Document Security and Impact Rating as high based on PNP Information Communication Technology (ICT) Security Manual s.2010-01 p. 22 and p.129.

SUMMARY

On October 24, 2017 there were notifications of attacks with “Bad Rabbit” ransomware.  The attack targeted organizations and individuals mostly in Russia but there were also traces of attacks in Ukraine, Turkey and Germany.  The campaign spread across Europe and victims reported includes airports, train stations and news agencies.

Bad Rabbit ransomware as compared with NotPetya is that the core Petya is no longer present but instead it will drop the encryption system driver from a known legitimate DiskCryptor application.  The sample will drop the encryption driver into the local system as cscc.dat and then leverage it to perform disk encryption.  No exploits were used so the victims have to manually execute the malware dropper which pretends to be an Adobe Flash installer but to spread it within a corporate network, it make use of the EternalRomance exploit as an infection vector.

Once a computer is infected with Bad Rabbit, it attempts to spread using the list of usernames and passwords inside the malware which includes passwords listed in the worst passwords.  Afterwhich, it will encrypt the files by adding encrypted at the end of each filename as well as the Master Boot Record of the computer then a message asking to submit payment via a TOR hidden service will appear.  If you try to visit the Bad Rabbit website using a Tor Browser, you will be invited to pay a fee for the decryption key.

RECOMMENDATION

PNP personnel and the public are advised to follow the tips to avoid being victimized by the bad rabbit ransomware:

• Make sure to activate all protection mechanisms of your computers.
• Update anti-virus regularly.
• Update OS patches regularly
• Restrict execution of files with the paths c:\windows\infpub.dat and c:\windows\cscc.dat
• Configure and enable default deny mode in the application startup control of your security appliance to ensure and enforce proactive defense against attacks.
• Ensure enforcement of strong passwords.
• Always maintain a backup of your files.
• Do provide administrator privilege to users accounts

For additional information, please refer to the following websites:

https://www.carbonblack.com/2017/10/24/threat-advisory-analysis-bad-rabbit-ransomware/

https://securelist.com/bad-rabbit-ransomware/82851/

POINT OF CONTACT

            Please contact PCINSP ANGELICA STARLIGHT L. RIVERA, Chief, Personnel Records Management Section thru email address This email address is being protected from spambots. You need JavaScript enabled to view it. or contact us on telephone number (632) 7230401 local 3562 for any inquiries related to this CYBER SECURITY BULLETIN.