2017 has been well graced with the worst ransomware attacks. With cyber threats and other vulnerabilities wreaking havoc, Bad Rabbit is the most recent to join the wagon and third major ransomware attack. Bad Rabbit spreads through company computer networks once it has been downloaded into a single computer.
This ransomware is different from others in that it doesn’t freeze networks as seen in other ransomware a few months ago. Below is what you need to need to know about Bad Rabbit if you haven’t heard about it.
Bad Rabbit is from a family of ransomware
Ransomware is a type of malware that makes your data inaccessible until you pay some amount of money. Bad Rabbit is straightforward as it lets you know it’s a ransomware. Affected victims are presented with a note saying your files are no longer accessible. It further adds that no one can recover them without their decryption service. This means that your data is encrypted and only the attackers behind it can decrypt your file. Researchers have revealed that Bad rabbit uses Disk Cryptor with hardcoded RSA 2048 keys to encrypt files. RSA 2048 is considered unbreakable, and only the specified key can decrypt whatever was encrypted.
Unfortunate victims that were attacked with the ransomware are offered 40hours to pay 0.05 bitcoins, an equivalent of $285. The payment page features a timer, and if the countdown reaches zero before paying, the fee goes up. Based on other past attacks which used the same line, victims are advised not to pay anything.
Russia and Eastern Europe corporates are the primary targets
Compared to the rest of the world, the most hit organizations are located in Russia, Ukraine and Bulgaria. The ransomware has also attacked although in a smaller percentage in Germany and Turkey. Group-IB, a Russian Cybersecurity company, confirmed that the ransomware hit some media houses. Interfax, a Russian news agency als
o confirmed that it had been hit by what seemed like the Bad Rabbit ransomware. In Ukraine, the Odessa international airport and Kiev subway system are prominent targets of the ransomware. Ukrainian based computer emergency response team also confirmed that there’s a new wave of cyberattacks against Ukrainian information resources just as Bad Rabbit started.
Unlike WannaCry, researchers have pointed out that Bad Rabbit may not discriminate targets, although its motive is to attack corporate systems, the ransomware attacks selected targets it deems to be of interest. According to ESET researchers, the instructions loaded in the infected websites can determine if a target visiting the site is of interest. As of now, it’s only infrastructure systems and media agencies that have been hit by the ransomware.
Since its detection on the morning of October 24, Bad rabbit had infected over 200 targets by the evening. Researchers at Avast have also detected Bad Rabbit in Poland and South Korea. As of now, Bad Rabbit has spread across other countries, and it has been detected in the US too.
Bad Rabbit is based on ExPetr/Petya/Not Petya attacks
Much like ExPetr/Petya/Not Petya which occurred before Bad Rabbit, they all sport the same welcoming ransom note “If you’re seeing this text, then your files are no longer accessible…” which is almost identical.
Secure List observed that not only the message is identical, but also most elements under the hood of Bad Rabbit are similar to the aforementioned earlier attacks. For instance, when attacking corporate networks, Bad rabbit uses methods identical to those of Expetr. Crowd Strike researchers also analyze
d Bad Rabbit and found that it shares a great percentage of the code used by NotPetya DLL (Dynamic Link Library) file.
Disguises as Adobe Flash Update
Spreads via a drive-by-attack
Once Bad Rabbit has been installed in a particular system, it uses lateral movement to navigate through the entire network. Secure list noted this as a drive-by-attack. Cisco Talos also indicated that Bad Rabbit uses an SMB/SBM2/WMI to move across infected networks laterally. In their blog, Cisco Talos further adds that this ransomware does not use EternalBlue exploit like Petya rather it uses EternalRomance exploit to propagate through the network.
By taking advantage of a vulnerability in a system and using the exploit, Bad Rabbit brute-forces weak credentials (using a combination list of the username/passwords) in the network.
Who is behind Bad Rabbit? A Game of Thrones fan?
At the moment, no one has been identified or has been associated him/herself with the ransomware. But researchers are speculating that Bad Rabbit maybe another product of the group behind Petya given the similarities. Since the Petya attack in June, no one has been identified hence making it a bigger mystery. But speculations also solve some bit of puzzle; the attackers are not Russians based on the fact that Eastern Europe cybercriminals don’t attack their countries.
Another fascinating speculation is that the attacker(s) is a Game of Thrones fan probably loyal to House Targaryen. This is because researchers found popular Game of Thrones references in Bad Rabbit’s code. They included; GreyWorm, the commander of the Unsullied, and the names of the dragons; Viserion, Drogon and Rhaegal.
Measures to protect yourself against Bad Rabbit
Without any assurance that your files will be decrypted once you pay the required amount, it’s better to stay safe. At the moment Kaspersky users are in luck as they can prevent Bad Rabbit from infecting their systems.
Kaspersky advises its customers to ensure all KSN and watcher components are enabled, protection mechanisms are running as recommended and antivirus database updated immediately. For additional protection, users are advised to restrict the execution of files with the paths C:\Windows\cscc.dat and C:\windows\infpub.dat in Kaspersky Endpoint Security. For proactive defence, users should configure and enable Default Deny mode in Kaspersky Endpoint.