On October 24, the latest ransomware outbreak “Bad Rabbit” infected hundreds of computers around the world. This is the third major global cyberattack in six months, joining WannaCry and Petya ransomwares in the world news headlines. Together they have crippled organizations, costing hundreds of millions of dollars in damage.
Fortunately, computers with SparkCognition’s DeepArmor® installed were not affected. In all three ransomware outbreaks, DeepArmor detected the malware on day one, before any harm could be caused.
How Bad Rabbit infiltrated systems
Those that fell victim to Bad Rabbit were lured in by a fake Adobe Flash update served through compromised websites. Upon running the update, the ransomware would drop files onto the system, beginning a chain of events that ultimately displays a ransom note on screens saying that their files were “no longer accessible” and without a decryption service, they wouldn’t be able to recover them.
Victims are directed to a Tor payment page that demands .05 bitcoin (around $285) within 40 hours. The ransom increases if it isn’t paid before the countdown timer reaches zero.
Bad Rabbit uses built in capabilities to infect systems, making traditional behavior and signature detection difficult. The ransomware utilizes the rundll32.exe to launch functions out of the a file dropped from the initial fake Flash update.
This dll attempts to stay covert by using the extension .dat, then drops additional files on the system and creates scheduled tasks to initiate them. ZDnet pointed out Bad Rabbit shares many attributes with the Petya ransomware from June of this year, so it’s likely that the same unidentified group is behind this attack as well.
Where traditional security systems fall short
When it comes to ransomware, the traditional signature-based security model is broken. Traditional vendors rely on static properties of a file, which when altered slightly allow malware to walk right by, undetected.
A new approach is needed to keep up with the evolving threat landscape. Static signatures in use with traditional antivirus are only capable of identifying the properties of malware it already knows, it has no capability to correlate a file that does not match its predefined notions of what malware looks and operates like. Artificial intelligence is proving effective in rising to the challenge. AI and machine learning aren’t just buzzwords—they are imperative to mitigating the massive risks associated with the ransomware crisis.
How DeepArmor® detected Bad Rabbit
DeepArmor uses artificial intelligence to create predictive models for what malware looks like, and applies this model to the entirety of a file being scanned, enabling it to detect new variants and zero-day threats without the need for static signatures. This predictive capability is what enabled DeepArmor to identify this ransomware package the moment it was released into the wild. Below are the alerts a user would have received as this ransomware moved through each step in the kill chain.
The AI component of our product closes the gap between what is known and what is unknown, helping security staff identify new threats immediately. Our management console provides notification when an alert is generated through AI and also uses natural language processing to generate a description of the threat. These unique features highlight the value of cognitive detection and enable a security analyst to make quick decisions.
Lessons Learned
There are two clear lessons to be taken from this news:
1) the onslaught of new and progressively more vicious malware is not halting any time soon
2) artificial intelligence solutions are the most capable tools to protect against future cyber threats
The Bad Rabbit incident is a clear indicator that AI solutions are the most effective at combatting cyber attacks. Just hours after news broke of Bad Rabbit, there were only a few vendors that were able to detect this threat, DeepArmor® among them. Compare the detection rates of companies today to the detection just 24 hours ago—that gap in detection is the difference between safety and loss of data. It’s clear that the path forward to prevent infiltration necessitates a cognitive AI-based solution.
Detection as of 10-24-17:
Detection as of 10-25-17:
The post SparkCognition’s DeepArmor® Detects Third Major Malware Within Six Months appeared first on SparkCognition Inc.