The new strain of ransomware known as Bad Rabbit, was first spotted on October 24th, 2017. The ransomware is the third major spread of malware this year as it follows the wider-reaching WannaCry and NotPetya strains of malicious code. So far, security firms such as Kaspersky and ESET have both noticed ties to the malware known as NotPetya or ExPetr.
The initial infection of Bad Rabbit occurs via a fake Adobe Flash installer offered up for download, which carries the malware that is triggered upon firing up the EXE file.
The files contained in the malware are:
After being executed, it drops and deploys the main module in the C:Windows directory, which will encrypt all files with a specific extension and execute a bootlocker with a ransom note similar to the Petya/NotPetya ransomware. It is to be noted that the malware must run with Administration privileges.
Bad Rabbit has an infector allowing lateral movements, using SMB to propagate laterally with a hardcoded list of usernames and passwords. However, unlike NotPetya, it doesn’t use EternalBlue and is more widely spread.
Computers infected with the malware redirect the user to a “.onion” Tor domain where they are asked to pay .05 Bitcoin or roughly $276 USD in exchange for their data. A countdown on the site shows the amount of time before the ransom price goes up.
Security firm Kaspersky’s research suggests this is an attack on corporate networks, and has affected the Interfax news agency and other publishers over in Russia. In Ukraine, Kiev’s public transport system was also reportedly hit, as well as the Ministry of Infrastructure. Odessa airport has apparently been affected, too.
Additionally, several organizations in US, Turkey, Germany, and many other countries are also affected. As this is an ongoing event, more organizations are expected to be impacted by this ransomware.
To avoid Bad Rabbit ransomware and other file-encrypting infections in the future, make sure that the following simple recommendations are implemented in your security strategy:
These techniques are certainly not a cure-all, but they will add an extra layer of protection to your security setup.