Bad Rabbit Ransomware Strikes Many Countries in the World

If you are on your computer today, you need to be a little more careful. A new strain of ransomware, known as “Bad Rabbit”, has been found spreading  in many countries around the world.

Bad Rabbit ransomware is a previously unknown ransomware family. Bad Rabbit poses as an Adobe Flash update. When it is clicked on, it immediately locks down the computer.After that a screen pops up telling the user that their files are “no longer accessible” as well as “no one will be able to recover them without our decryption service.”

It then directs victims to a payment page with a countdown timer. When someone fails to pay the $285 ransom before the time runs out, they are told that the fee for releasing the files will be going up.

“Bad rabbit” moves across an infected network as well as spreads without any user interaction.

According to Kaspersky’s data, most of the victims are located in Russia. However, a small number of attacks have also been seen in other countries like Ukraine, U.S., South Korea, Bulgaria, Turkey as well as Germany. According to the KSN statistics, there are over 200 targets.

Bad Rabbit attack has been linked with the ExPetr attack by the experts of Kaspersky. According to their analysis, there is a notable similarity between the code of ExPetr as well as Bad Rabbit binaries.

Some other similarities include the same list of domains used for the drive-by attack as well as the similar techniques used to spread the malware throughout corporate networks. Both the attacks used WMIC or Windows Management Instrumentation Command-line for that purpose. However, unlike ExPetr, Bad Rabbit does not use the EternalBlue exploit — or other exploits.

The experts of Kaspersky believe that the same threat actor is behind both attacks. However, unlike ExPetr, Bad Rabbit attack seems to be just ransomware, not a wiper. It encrypts files of some types as well as installs a modified bootloader, hence preventing the computer from booting normally. As Bad Rabbit isn’t a wiper, the malefactors behind it have the ability to decrypt the password, which in turn is required to decrypt files as well as allow the PC to boot the OS.

Unfortunately, the experts of Kaspersky say that it is not possible to get the encrypted files back without knowing the encryption key.

For avoiding becoming a victim of Bad Rabbit:

  • Block the execution of files c:\windows\infpub.dat & c:\Windows\cscc.dat.
  • Disable WMI service if possible for preventing the malware from spreading over your network.

Some tips for everyone:

  • Do not pay the ransom
  • Back up your data