Bad Rabbit Ransomware Outbreak: 7 Things You Need To Know
26 October 2017 00:00
When news broke of the third major ransomware outbreak of the year, there was lots of confusion. Now the dust has settled, we can dig down into what exactly “Bad Rabbit” is.
The Bad Rabbit ransomware started infecting systems earlier this week and rightfully drew comparisons with the huge epidemics of WannaCry and Petya.
So what do we know about this new ransomware campaign?
#1 One thing’s for sure - it’s Ransomware
Like most ransomware campaigns, this one isn’t created to be subtle. The victims of the attack would have quickly realised that something was wrong, as they’re presented with a typical ransom note explaining that their computer files are now encrypted.
The victim is then directed to a Tor payment page, with the criminals demanding 0.05 bitcoin (approx. $285). The user is also presented with a timer, giving them a couple of days to pay up - otherwise, the fee will increase.
But, as most of us know, paying the ransom is never a good idea, as cyber criminals usually have no intention of restoring access (here we cover why you should NEVER pay the ransom).
The encryption uses DiskCryptor, which is open source legitimate and software used for full drive encryption. Keys are generated using CryptGenRandom and then protected by a hard-coded RSA 2048 public key.
#2 The attack has hit high profile organisations in Russia and Eastern Europe
Researchers have found a long list of countries of have fallen victim to the outbreak - including Russia, Ukraine, Germany, Turkey, Poland and South Korea.
Three media organisations in Russia, as well as Russian news agency Interfax, have all declared file-encrypting malware or “hacker attacks” - being brought offline by the campaign.
Other high-profile organisations in the affected regions include Odessa International Airport and Kiev Metro. This has led the Computer Emergency Response of Ukraine to post that the “possible start of a new wave of cyber attacks to Ukraine’s information resources” had occurred.
#3 A fake Flash update on compromised websites is the main cause of the spread
We often talk about end users being the weakest link of the cyber security chain - and Bad Rabbit has only reinforced the message. The ransomware spreads by ‘drive-by downloads’ on compromised websites.
#4 It can spread laterally across networks
Similar to Petya, the Bad Rabbit Ransomware attack contains an SMB component which allows it to move laterally across an infected network and propagate without user interaction.
The spread of Bad Rabbit is made easy by simple username and password combinations which it can exploit to force its way across networks. This list of weak passwords are the often-seen easy-to-guess passwords - such as 12345 combinations or having a password set as “password”.
#5 Whoever’s behind it, they’re a fan of Game of Thrones...
The attackers behind the Bad Rabbit ransomware have scattered Game of Thrones references (Viserion, Drogon and Rhaegal - dragons from the series) in their code.
Not sure how much this helps, as it’s pretty damn hard to find someone who isn’t a fan.
Similar read: Game of Thrones: A song of leaks and hacks
#6 It may have had selected targets
When WannaCry broke, systems all across the world were affected by an apparent indiscriminate attack. Bad Rabbit, on the other hand, might have targeted corporate networks.
Researchers at ESET have backed this idea up, claiming that the script injected into infected websites can determine if the visitor is of interest and then add the contents page - if the target is seen as suitable for the infection.
#7 There’s steps you can take to keep safe
At this moment in time, nobody knows if it is yet possible to decrypt files that are locked by Bad Rabbit. Some might suggest to pay the ransom and see what happens… Bad idea.
It’s quite reasonable to think that paying nearly $300 is worth paying for what might be highly important and priceless files, but paying the ransom almost never results in regaining access, nor does it help the fight against ransomware - an attacker will keep targeting as long as they’re seeing returns.
A number of security vendors say their products protect against Bad Rabbit. But for those who want to be sure they don't potentially fall victim to the attack, Kaspersky Lab says users can block the execution of file 'c: \ windows \ infpub.dat, C: \ Windows \ cscc.dat.' in order to prevent infection.
Read next: Why you should NEVER pay the ransom