The Bad Rabbit malware was disguised as a Flash update

Adjust Comment Print

After the drama caused by the WannaCry and NotPetya earlier this year, was there ever any doubt that a fresh ransomware campaign would emerge at some point?

Bad Rabbit ransomware is a modified version of the NotPetya malware, the outbreak of which was recorded in July.

While most of the ransomware's victims have been in Russia, Kaspersky Lab also noted attacks in Ukraine, Turkey and Germany. "No exploits were used, so the victim would have to manually execute the malware dropper, which pretends to be an Adobe Flash installer", Kaspersky said.

Called Bad Rabbit, the malware initially struck computers mostly in Russian Federation, and also Ukraine, Bulgaria, Turkey and Germany.

This is yet another example of how effective ransomware can be delivered leveraging secondary propagation methods such as Windows SMB (server message block) to proliferate, says Talos. "It is rumored to contain the same password stealing and spreading mechanism as NotPetya, allowing it to traverse an enterprise and cripple it in no time", Chester Wisniewski, principal research scientist at Sophos told us.

Once a computer is infected, the data is encrypted and the perpetrators ask for.05 Bitcoins (Rs 17,800 approximately) as ransom.

Like this story? Share it!

Stephen Curry to be fined $50K for mouthpiece incident, won't face suspension
Curry threw his mouthpiece in the direction of the official and was tossed by referee Scott Wall. Kevin Durant was also ejected after appearing to direct an obscene gesture at the Memphis crowd.

Bad Rabbbit appears to have some similarities to Nyetya, says Cisco Systems' Talos threat intelligence blog, "in that it is also based on Petya ransomware".

CISOs are holding their breath and hoping that the latest ransomware strain being detected in Eastern Europe and Russian Federation isn't the beginning of a widespread campaign.

"CrowdStrike Intelligence can confirm that this website was hosting a malicious JavaScript inject as part of a strategic web compromise attack on 24 October 2017".

They also discuss that since Bad Rabbit will clear the event logs and create various scheduled tasks under the names Drogon, Rhaegal, and Viserion, you can monitor the event logs for this type of activity.

The US Department of Homeland Security did not identify any American victims, but has advised the public to refrain from paying ransoms. (Flash Player, both real and fake, is a favorite cybercriminal tool.) The initial infections came from Russian-language news sites, one of which seemed to have been actively infecting visitors even as it reported on the malware outbreak. Critical institutions that are essential to everyday life were the targets and were infected in a such a short amount of time.

"Currently, it's unclear as to whether or Bad Rabbit will be able to reap the same damage as WannaCry, but undoubtedly businesses will be holding their breath", Jamie Graves, CEO of security firm ZoneFox, said in an email to Newsweek. Where endpoints are not yet updated to detect these zero-day attacks, cloud app threat protection can serve as an organization's first line of defense. As usual with ransomware, Bad Rabbit encrypts all files on a device and locks the user out of the device until their ransom is paid.