Bad Rabbit Ransomware is spread through “spam attacks” that compromise unsafe websites. “While the target is visiting a legitimate website, a malware dropper is downloaded from the attacker’s infrastructure,” according to an analysis by Kaspersky Labs.
In this case, the malware is disguised as an Adobe Flash installer. When the innocent-looking file is opened, it starts locking the infected computer. The malware doesn’t install automatically, which means it needs to be clicked to work.
If someone clicks on the malicious installer – and given the number of Flash updates released, it is very likely – their computer will crash. The ransom note and payment page charge around $ 280 in Bitcoin and give 40 hours to make payments. DiskCryptor software is used to encrypt hard drives.
According to the security company Eset, which posted a blog post on Bad Rabbit, several Russian domains (.ru) are affected. Kaspersky adds that “all” compromised websites it saw were media or media.
“Most of the targets are in Russia,” said Kaspersky. “There were similar but fewer attacks in other countries – Ukraine, Turkey and Germany. According to KSN statistics, there are almost 200 targets in total.” These included the Kyiv subway, Odesa airport. In response, the Ukrainian National Computer Emergency Team issued a warning regarding Bad Rabbit.
No attack has been observed in the UK to date. We recommend that you install all security updates for the software.
Where is bad rabbit ransomware from?
It was not possible to assign the ransomware to a country or group of hackers. An analysis by the security company Malwarebytes revealed several similarities with NotPetya.
Malwarebytes’ analysis concluded that Bad Rabbit was “likely created by the same authors” as NotPetya. Further investigation by Cisco’s Talos revealed that Bad Rabbit was exploiting SMB via the NSA’s Eternal Romance exploit.
After the initial outbreak, there was some confusion about what exactly Bad Rabbit is. However, after the initial panic subsides, it is possible to understand what exactly is going on.
Cyber-attacks hit organizations across Russia and Eastern Europe
Organizations across Russia and Ukraine, as well as a few in Germany and Turkey, have fallen victim to ransomware. Avast researchers say they also discovered the malware in Poland and South Korea.
Russian cybersecurity firm Group-IB has confirmed that at least three media organizations in the country have been affected by file encryption malware, while Russian news agency Interfax said their systems had been hit by a “hacker attack” – and were taken offline as a result of the incident.
Other organizations in the region, including Odesa International Airport and the Kyiv Metro, have also made statements of being victims of a cyber attack, while CERT-UA, the Ukrainian computer emergency response team, has also announced the “possible start of a new” wave of cyberattacks on Ukraine’s Information Resources “occurred when reports of Bad Rabbit infections surfaced.
At the time of writing, it is believed that there are close to 200 infected targets, which suggests it is not an attack like WannaCry or Petya, but it is still causing problems for infected organizations.
“The overall prevalence of known samples is relatively low compared to other ‘common’ strains,” said Jakub Kroustek, malware analyst at Avast.
It is based on Petya / Pas Petya
If the ransom note sounds familiar, it’s because it’s almost identical to the one seen by victims of the Petya outbreak in June. The similarities aren’t just cosmetic – Bad Rabbit shares some behind-the-scenes things with Petya, too.
Analysis by Crowdstrike researchers found that Bad Rabbit and NotPetya’s Dynamic Link Library (DLL) share 67% of the same code, suggesting that the two ransomware flavors are closely related, if not operated by the same threat actor.
It spreads to compromised websites via fake flash updates
The main means of spreading Bad Rabbit is through unwanted downloading on hacked websites. No exploits are used, but visitors to compromised websites – some of which have been compromised since June – are warned that they need to install a flash update. Of course, this is not a flash update, but a malicious installation dropper.
It can spread laterally across networks
Much like Petya, Bad Rabbit has a powerful trick in that it includes an SMB component that allows it to wander sideways across an infected network and spread without user interaction, according to Cisco Talos researchers.
What helps Bad Rabbit spread is a list of simple username and password combinations that it can use to move around networks. The weak password list consists of many common weak password suspects, such as B. individual combinations of digits and “password”.
It can’t be blind
At the same time, hundreds of thousands of systems worldwide fell victim to ransomware following the WannaCry outbreak. Bad Rabbit doesn’t seem to infect targets indiscriminately, however, researchers have instead suggested that it infect only selected targets.
Meanwhile, ESET researchers say the script instructions injected into infected websites “can determine if the visitor is of interest and then add content to the page” when the target is deemed appropriate for infection.
At this point, however, there is no obvious reason why media organizations and infrastructure in Russia and Ukraine were specifically targeted in this attack.