- A new ransomware named ‘Bad Rabbit’ has been found spreading across European countries
- Russia, Ukraine, Bulgaria, Germany, and Turkey are the nations affected till date
- ‘Bad Rabbit’ shows similar characteristics like Petya and NotPetya ransomware
- Ransomware was spread vïa fake adobe flash player using Eternal Blue exploit
- ‘Bad Rabbit’ demands ransom of 0.05 Bitcoin
A new Petya like ransomware named Bad Rabbit was discovered spreading in many European countries affecting both government and private agencies.
Ransomware has already been spread across countries like Russia, Ukraine, Bulgaria, Germany, and Turkey.
According to reports, Odessa airport in Ukraine, the Russian Ministry of Infrastructure, the Kiev subway system in Ukraine and Russian news agencies like Interfax and Fontanka are listed under the Bad Rabbit attack list.
Researchers said that on initial analysis it was discovered that the ransomware was spread via fake flash player using EternalBlue which was the same leaked NSA exploit used by WannaCry and Petya ransomware to spread.
Researchers at ESET said that “the malware used for the cyber attack was Diskcoder.D, — a new variant of ransomware known also as Petya”.
They also added that they have discovered hundreds of occurrence of Diskcoder.D in which most of them are found in Russian and Ukraine. There were some reports of attacks in Turkey , Bulgaria and in other countries.
The Bad Rabbit uses Mimikatz tool to extract credentials from the affected system along with a hardcoded list of commonly used credentials and it also tries to access servers and workstation using SMB AND WebDAV.
According to the researchers from ESET, the working of ransomware has some similarities to NotPetya. First, there appears a pop up window asking to download an update for flash player.
When we click the install button it downloads an executable file from 1dnscontrol[.]com is initiated and this executable file, install_flash_player.exe is the dropper for Win32/Filecoder.D
After that, it encrypts the files and show a ransom note which demands the user to pay 0.05 Bitcoin (around 280$).
In the ransom note, it is mentioned that the user has got 40 hours to pay or else the amount will be increased.
The source code in ransomware contains the reference to various Game of Throne characters and dragons.
Christiaan Beek, Lead Scientist and Principal Engineer at McAfee has released a list of file types targeted by Bad Rabbit which is given below:
.3ds .7z .accdb .ai .asm .asp .aspx .avhd .back .bak .bmp .brw .c .cab .cc .cer .cfg .conf .cpp .crt .cs .ctl .cxx .dbf .der .dib .disk .djvu .doc .docx .dwg .eml .fdb .gz .h .hdd .hpp .hxx .iso .java .jfif .jpe .jpeg .jpg .js .kdbx .key .mail .mdb .msg .nrg .odc .odf .odg .odi .odm .odp .ods .odt .ora .ost .ova .ovf .p12 .p7b .p7c .pdf .pem .pfx .php .pmf .png .ppt .pptx .ps1 .pst .pvi .py .pyc .pyw .qcow .qcow2 .rar .rb .rtf .scm .sln .sql .tar .tib .tif .tiff .vb .vbox .vbs .vcb .vdi .vfd .vhd .vhdx .vmc .vmdk .vmsd .vmtm .vmx .vsdx .vsv .work .xls .xlsx .xml .xvd .zip
Research from Kaspersky has advised users to follow the below given instructions to prevent Bad Rabbit ransomware from infecting your systems;
- Block the execution of files c:\windows\infpub.dat and c:\Windows\cscc.dat and
- Disable WMI service (if it’s possible in your environment) to prevent the malware from spreading over your network
It is still unclear who is behind the attack now and whether the files can be decrypted without paying the ransom.
Here are the list of compromised websites:
Our team will timely update you with further details on Bad Rabbit!
To protect yourself from Bad Rabbit ransomware follow the below instructions :
- Keep the operating system and third-party applications (MS office, flash player, browsers, browser Plugins) up-to-date with the latest patches. In this case, Especially check the Eternal Blue vulnerability patch.
- Perform regular backups. Ideally, this data should be kept on a separate device, and backups should be stored offline.
- Maintain updated Antivirus software on all systems.
- Don’t open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited email, even if the link seems benign. In cases of genuine URLs close out the e-mail and go to the organization’s website directly through the browser.