‘Bad Rabbit’ – Petya like Ransomware Proliferates widely in Europe

In Capsule:

  1. A new ransomware named ‘Bad Rabbit’ has been found spreading across European  countries
  2. Russia, Ukraine, Bulgaria, Germany, and Turkey are the nations affected till date
  3. ‘Bad Rabbit’ shows similar characteristics like Petya and NotPetya ransomware
  4. Ransomware was spread vïa fake adobe flash player using Eternal Blue exploit
  5. ‘Bad Rabbit’ demands ransom of 0.05 Bitcoin

A new Petya like ransomware named Bad Rabbit was discovered spreading in many European countries affecting both government and private agencies.

Ransomware has already been spread across countries like Russia, Ukraine, Bulgaria, Germany, and Turkey.

According to reports, Odessa airport in Ukraine, the Russian Ministry of Infrastructure, the Kiev subway system in Ukraine and Russian news agencies like Interfax and Fontanka are listed under the Bad Rabbit attack list.

Researchers said that on initial analysis it was discovered that the ransomware was spread via fake flash player using EternalBlue which was the same leaked NSA exploit used by WannaCry and Petya ransomware to spread.

Researchers at ESET said that “the malware used for the cyber attack was Diskcoder.D, — a new variant of ransomware known also as Petya”.

They also added that they have discovered hundreds of occurrence of Diskcoder.D in which most of them are found in Russian and Ukraine. There were some reports of attacks in Turkey , Bulgaria and in other countries.

The Bad Rabbit uses Mimikatz tool to extract credentials from the affected system along with a hardcoded list of commonly used credentials and it also tries to access servers and workstation using SMB AND WebDAV.

According to the researchers from ESET, the working of ransomware has some similarities to NotPetya. First, there appears a pop up window asking to download an update for flash player.

When we click the install button it downloads an executable file from 1dnscontrol[.]com is initiated and this executable file, install_flash_player.exe is the dropper for Win32/Filecoder.D

After that, it encrypts the files and show a  ransom note which demands the user to pay 0.05 Bitcoin (around 280$).

In the ransom note, it is mentioned that the user has got 40 hours to pay or else the amount will be increased.

The source code in ransomware contains the reference to various Game of Throne characters and dragons.

Christiaan Beek, Lead Scientist and Principal Engineer at McAfee has released a list of file types targeted by Bad Rabbit which is given below:

.3ds .7z .accdb .ai .asm .asp .aspx .avhd .back .bak .bmp .brw .c .cab .cc .cer .cfg .conf .cpp .crt .cs .ctl .cxx .dbf .der .dib .disk .djvu .doc .docx .dwg .eml .fdb .gz .h .hdd .hpp .hxx .iso .java .jfif .jpe .jpeg .jpg .js .kdbx .key .mail .mdb .msg .nrg .odc .odf .odg .odi .odm .odp .ods .odt .ora .ost .ova .ovf .p12 .p7b .p7c .pdf .pem .pfx .php .pmf .png .ppt .pptx .ps1 .pst .pvi .py .pyc .pyw .qcow .qcow2 .rar .rb .rtf .scm .sln .sql .tar .tib .tif .tiff .vb .vbox .vbs .vcb .vdi .vfd .vhd .vhdx .vmc .vmdk .vmsd .vmtm .vmx .vsdx .vsv .work .xls .xlsx .xml .xvd .zip

Research from Kaspersky has advised users to follow the below given instructions to prevent Bad Rabbit ransomware from infecting your systems;

  1. Block the execution of files c:\windows\infpub.dat and c:\Windows\cscc.dat and
  2. Disable WMI service (if it’s possible in your environment) to prevent the malware from spreading over your network

It is still unclear who is behind the attack now and whether the files can be decrypted without paying the ransom.

Here are the list of compromised websites:

  • hxxp://argumentiru[.]com
  • hxxp://www.fontanka[.]ru
  • hxxp://grupovo[.]bg
  • hxxp://www.sinematurk[.]com
  • hxxp://www.aica.co[.]jp
  • hxxp://spbvoditel[.]ru
  • hxxp://argumenti[.]ru
  • hxxp://www.mediaport[.]ua
  • hxxp://blog.fontanka[.]ru
  • hxxp://an-crimea[.]ru
  • hxxp://www.t.ks[.]ua
  • hxxp://most-dnepr[.]info
  • hxxp://osvitaportal.com[.]ua
  • hxxp://www.otbrana[.]com
  • hxxp://calendar.fontanka[.]ru
  • hxxp://www.grupovo[.]bg
  • hxxp://www.pensionhotel[.]cz
  • hxxp://www.online812[.]ru
  • hxxp://www.imer[.]ro
  • hxxp://novayagazeta.spb[.]ru
  • hxxp://i24.com[.]ua
  • hxxp://bg.pensionhotel[.]com
  • hxxp://ankerch-crimea[.]ru

Our team will timely update you with further details on Bad Rabbit!

To protect yourself from Bad Rabbit ransomware follow the below instructions :

  1. Keep the operating system and third-party applications (MS office, flash player, browsers, browser Plugins) up-to-date with the latest patches. In this case, Especially check the Eternal Blue vulnerability patch.
  2. Perform regular backups. Ideally, this data should be kept on a separate device, and backups should be stored offline.
  3. Maintain updated Antivirus software on all systems.
  4. Don’t open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited email, even if the link seems benign. In cases of genuine URLs close out the e-mail and go to the organization’s website directly through the browser.
IT Informer
I am a Experienced in Wordpress, SEO and Social Media Marketing with also extensive experience in forecasting and data analysis. My passion is Website Speed optimization. IT Informer is a place where I and my colleagues follow the latest IT trends.

Latest posts

Related posts

Most read

Why Microsoft decided to shut down XBOX 360?

In the latest announcement by Microsoft, they are stopping production of Microsoft XBOX 360. Phil Spencer, Head of Xbox explained the decision. In November 2015,...

Dark Wallpapers To Compliment Your New iPhone – Best Free HD Wallpapers

Dark iPhone Wallpapers – 14 Most Beautiful Free HD Wallpapers for iPhone and Android Smartphone. Download Dark HD Wallpapers on this page. Feel free...

Cube WP10 is Supposed to be a 7 inch Windows 10 Mobile Smartphone, Feels More Like a Tablet

The 7 inch smartphones always baffled me, especially when they came with a phone format, all portrait orientation and phone calling. The ASUS FonePad...

More Xiaomi Mi Note 2 images surface ahead of official launch, but without dual camera

We are just two days away from the official launch of Xiaomi Mi Note 2, yet the leaks and rumors around the flagship device...

Want to stay up to date with the latest news?

We would love to hear from you! Please fill in your email and we will stay in touch. It's that simple!