The Department of Homeland Security released an alert late Tuesday evening about reports of a new ransomware spreading across several countries called Bad Rabbit. As usual with ransomware, Bad Rabbit encrypts all files on a device and locks the user out of the device until their ransom is paid. The Department of Homeland Security is warning against paying the ransom; however, the timer may cause impulsive payments to be made.
What is Bad Rabbit Ransomware?
This ransomware seems to be a variant of Petya and even has a similar aesthetic of the lockout screen. Bad Rabbit assures the victim they can recover their files if they pay a ransom of .05 bitcoins in a narrow window of time. Victims are then directed to a darknet hidden service (.onion address). So victims will be required to download the TOR browser or OrFox mobile browser in order to access the .onion address.
— Group-IB (@GroupIB_GIB) October 24, 2017
Once the address is reached users are required to enter in a personal assigned key. If validated a bitcoin account is provided to them to transfer the money to. If the victim fails to make a payment in the allotted time the price increases. At the time of this writing, the starting price .05 bitcoins (BTC) translates to $275.59 USD.
Who has Been Impacted By Bad Rabbit
As of right now most of the impact of Bad Rabbit ransomware has been concentrated in Russia and Eastern Europe. Germany has been impacted as well. The attack was first noticed by three major media companies in Russia including one major news agencies Interfax and Fontanka. The Ukraine was also impacted, specifically at the Odessa airport, Kiev subway system, and the Ministry of Infrastructure of Ukraine.
How Does this Ransomware Spread?
According to researchers from Proofpoint and Kaspersky Lab the Bad Rabbit ransomware spread by a fake Adobe Flash installer. The attackers targeted mainly news or media websites and turned them into watering holes or vectors that distributed the fake installer to victims. There were no exploits used in the attack, it all depends on the victim agreeing to download Bad Rabbit. According to VirusTotal only a few antivirus companies were able to detect Bad Rabbit, many others were unable to detect anything was wrong.
Who does Bad Rabbit Ransomware Target?
So far Bad Rabbit seems to target enterprise or corporate networks. Once one device on the network is infected Bad Rabbit uses the EternalBlue exploit to spread across the network. So Bad Rabbit is dependent on negligent insiders and unpatched systems in order to spread effectively.
How to Protect Against Bad Rabbit Malware
Bad Rabbit is dependent on a few avoidable factors. The first factor is the negligent insider who may have poor cyber security training or just not know any better. The second factor Bad Rabbit depends on is default permissions. If any employee has the ability to download and install software then they will have the ability to install Bad Rabbit on your network. Lastly and most important, Bad Rabbit depends on your systems being out of date. Please make sure you have your network and any devices connected to it up to date. You can find the patch for EternalBlue here.
Be safe out there and make sure you have your cyber security policies in effect and that insiders are practicing safe browsing.