A new ransomware, dubbed “Bad Rabbit”, has been spreading quickly throughout Europe in the past few months. The Petya-like attack (27% of BadRabbit code has been seen in Petya samples) has struck corporate and personal networks alike utilizing “drive-by” download attacks. An initial analysis by Kaspersky Labs states that the malware spreads by luring victims using fake Adobe Flash Player installers meaning that no exploits were used in the distribution of the malware, the victim must manually execute the malware dropper.
Once executed, BadRabbit scans the internal network for open SMB (Server Message Block) shares and tries a hardcoded list of commonly used credentials to spread the ransomware. It also uses the post-exploitation tool “Mimikatz” to extract the credentials off of the infected systems. This is notable because it marks a new wave of ransom attack, one that doesn’t utilize the “EternalBlue” exploit, the exploit used by notable ransomware such as WannaCry and Petya to spread throughout networks. The same report also stated that numerous compromised websites have been detected “all of which were news or media websites.”
After spreading through a network, BadRabbit utilizes an open-source full drive encryption service called DiskCryptor that encrypts files using RSA 2048 keys. After this, a ransom note appears on the screen asking victims to log into an onion website to make an initial payment of .05 bitcoin (or ~$285) in order to get their encryption key. A countdown timer, originally set for 40 hours, is also displayed with the threat of increasing the price of the key if no payment is sent within the time frame.
Affected organizations include Russian news agencies Interfax and Fontanka as well as the payment systems used in the Kiev Metro, Odessa International Airport, and the Ukranian Ministry of Infrastructure. Interfax was hit particularly hard, 24 hours after the attack their website still displayed the message “our service is temporarily unavailable.”
The head of Russian cyber-security firm Group-IB, Illya Sachkov says, “In some of the companies, the work has been completely paralyzed – servers and workstations are encrypted.” U.S. officials have stated that they have “received numerous reports ofBadRabbit ransomware infections in many countries around the world.” The Russian central bank released a statement that there were recorded BadRabbit attacks on several of the top 20 Russian financial institutions, but that none had been compromised.
So far, attacks have been heavily concentrated in Russia, however, attacks have also been recorded in Ukraine, Turkey, and Germany. An analysis is still being done on BadRabbit to try and find a way to decrypt computers without having to pay, as well as how to stop it from spreading further.
The malware is still undetected by the majority of anti-virus programs according to Virus Total. For now, Kaspersky Labs suggests that you disable the WMI service on your computers to prevent the malware from spreading over your network, as well as changing default credentials within your network.