Computers in several European countries are going down due to a malware dubbed ‘the Bad Rabbit’ ransomware.
Countries in Europe are now facing another cybersecurity threat. This time, they are fighting against the so-called Bad Rabbit ransomware that was unleashed by an unknown group of cybercriminals.
According to reports, the ransomware started infecting computer systems on Tuesday, October 24th. Based on initial investigations and the way organizations have been hit, the malware appears to be a new variant of the WannaCry and Petya ransomware which cost large enterprises billions of dollars in losses earlier this year.
After what experts deemed as an initial attack, people are now left wondering: what is the Bad Rabbit ransomware exactly?
Countries Affected by the Bad Rabbit Ransomware
Initial reports suggest that the scope of the attack extends to organizations in several European and Asian countries. This includes Russia, Ukraine, Germany, and Turkey. However, security experts from Avast said that the malware was also detected in Poland and South Korea.
Group-IB, a Russian cybersecurity firm already confirmed that the Bad Rabbit ransomware had hit three media companies in the country. Other organizations known to have been affected by the cyber attack were the Odessa International Airport and Kiev Metro in Ukraine.
Bad Rabbit is no Doubt a Ransomware Suite
The malware attack has all the making of a typical ransomware suite. Victims were presented with a note telling them that their files have been encrypted and that they won’t be able to access it without a decryption key. Then, unfortunate victims will be redirected to a Tor browser payment page and will be presented with a countdown timer.
According to the actual ransom note, victims must pay .05 bitcoin or around $285 for the decryption services within 40 hours. Otherwise, the fee will be increased. ZDNet reported that the encryption uses DiskCryptor, an open source software for full drive encryption, and the keys are generated via CryptGenRandom.
Be Wary of a Fake Flash update
According to investigations, the Bad Rabbit ransomware spreads via downloads made on hacked sites. Like in a phishing attack, visitors to the hacked sites are asked to install a Flash update which is not really an update but a malware installation.
Bad Rabbit is Based on Petya/Not Petya (?)
If you happen to see a copy of the ransom note, you’ll definitely see the huge similarity with the June’s Petya attack. If you’re thinking that the two only shares the interface design, you’ll be in for a surprise. Security experts found that the two ransomware suites also share some ‘behind-the-scene’ elements.
Crowdstrike, a California-based cybersecurity company, found that Bad Rabbit and Petya’s dynamic link library (DLL) share 67 percent of the same code, suggesting a close relationship between the two.
Bad Rabbit Spreads Laterally Across Networks
Like Petya, the Bad Rabbit ransomware has an SMB component which enables it to move laterally across an affected network and spread rapidly via user interaction. Bad Rabbit exploits username and password combinations to brute-force its way across the network.
The Cybercriminals are Still Unknown
Currently, it is still unknown who is behind the distribution of the Bad Rabbit ransomware. However, its similarity with Petya gave experts reason to believe that the culprits behind the Petya attack are the same as those behind Bad Rabbit.
Still, what puzzles analysts is the fact that the attackers also hit Russia which was deemed before as the source of the Petya attack.
Protection From Bad Rabbit
It is still unknown if the files decrypted by the Bad Rabbit malware could be unlocked without having to pay a ransom. Most security vendors are claiming that their products are protected from the ransomware. But, if you want to be sure, Kaspersky said that you could block the execution of file ‘c: \ windows \ infpub.dat, C: \ Windows \ cscc.dat.’ to prevent infection.