A new ransomware strain named Bad Rabbit is wreaking havoc in many Eastern European countries, affecting both government agencies and private businesses alike, according to Bleeping Computer.
The ransomware has hit countries such as Russia, Ukraine, Bulgaria, and Turkey.
Confirmed victims include the Odessa airport in Ukraine, the Kiev subway system in Ukraine, the Ukrainian Ministry of Infrastructure, and three Russian news agencies, including Interfax and Fontanka. Ukraine’s CERT team has posted an alert and is warning Ukrainian businesses about this new outbreak, says the report.
The speed with which Bad Rabbit spread is similar to the WannaCry and NotPetya outbreaks that have hit in May and June this year, respectively.
ESET and Proofpoint researchers say Bad Rabbit has initially spread via fake Flash update packages, but the ransomware also appears to come with tools that help it move laterally inside a network, which may explain why it spread so quickly across several organizations in such a small time.
In a later report published by Kaspersky, the company telemetry data revealed “the ransomware [was] spread via a drive-by attack,” and “victims are redirected to [the website peddling the fake Flash update package] from legitimate news websites.”
Based on analysis by ESET, Emsisoft, and Fox-IT, Bad Rabbit uses Mimikatz to extract credentials from the local computer’s memory, and along with a list of hard-coded credentials, it tries to access servers and workstations on the same network via SMB and WebDAV.
As for Bad Rabbit, the ransomware is a so-called disk coder, similar to Petya and NotPetya. Bad Rabbit first encrypts files on the user’s computer and then replaces the MBR (Master Boot Record).
Once Bad Rabbit has done its job, it reboots the user’s PC, which gets stuck into the custom MBR ransom note. The ransom note is almost identical to the one used by NotPetya, in the June outbreak. Despite this, there is little resemblence to NotPetya. Intezer claims there is only 13% code reuse between Bad Rabbit and NotPetya.
“It was only a matter of time before someone took the ideas from WannaCry and NotPetya and ran with them for another go at unsuspecting victims. It appears this latest variation, the so-called Bad Rabbit ransomware, is being distributed via a fake Adobe Flash Player installer file. Initial reports are primarily from Eastern Europe, especially focused on Russia and Ukraine. What makes this malware more dangerous than your typical ransomware being distributed in a similar manner is its ability to spread across an organization as a worm and not just through email attachments or vulnerable web plugins. It is rumored to contain the same password stealing and spreading mechanism as NotPetya, allowing it to traverse an enterprise and cripple it in no time,” said Chester Wisniewski, principal research scientist, Sophos.
