Bad Rabbit: The New Ransomware With Some Famous Cousins

Remember the Petya/NotPetya ransomware outbreak from back in June? That was the ransomware that was (or wasn’t) based on a 2016 ransomware outbreak called Petya. Mainly limited to the Ukraine, Petya/NotPetya was a truly nasty variation on a theme. It had all the markings of a state-created malware weapon, whose goal was clearly not to make money, but was to destroy as much as possible. During its run of terror, it broke the software monitoring systems at the power plant in Chernobyl, hit Ukrainian power plants and large companies, took down computers at shipping company Maersk and targeted pharmaceuticals giant Merck.

Bad Rabbit — Petya/NotPetya 2.0?

Well, just in time for Halloween, here comes a variation on the Petya/NotPetya theme — the creepily named Bad Rabbit ransomware, which has been mainly targeting users in the Ukraine and Russia for the last week.

The ransomware, which is spreading via fake Adobe Flash updates, has hit numerous Russian media companies, a Ukrainian airport and the Kiev subway system, among other high-profile targets in that region. Though it hasn’t spread with anywhere near the same firepower as did its cousin, it does seem to be popping up in other locations like Turkey and Germany. Other reports are noting that it has turned up in the US, Ireland and Denmark, due to the way in which the exploit laterally spreads through networks.

So just how are victims falling prey? In a nutshell, Bad Rabbit looks for legitimate, yet compromised websites – when we say compromised, we mean that these websites are insecure for some reason – this could be due to vulnerabilities in the website code itself, or in third-party scripts. Whatever the case, once it finds such a website, it injects a fake Adobe Flash update via JavaScript. Although you might think that by now people would know that it’s a super-bad idea to just click any ‘ol Adobe update, somehow, they keep clicking on them anyway.

Once you click the fake update, Bad Rabbit begins to encrypt all your files and then demands a payment of .05 BTC to unlock them. The lock screen is nearly identical to that of Petya/NotPetya’s, and can schedule an automatic system reboot, just like Petya/NotPetya and WannaCry. But unlike Petya/NotPetya, upon paying the ransom fee, you’ll actually get the correct key to decrypt your files, which is a major improvement. Aside, as with every other ransomware variant, paying the fee isn’t recommended because it proves to attackers that their tactics work. One more thing Bad Rabbit has with its cronies: it also uses EternalRomance, the exploit leaked from the NSA, to spread.

Luckily, some flaws have been discovered in Bad Rabbit’s functionality, which may make it possible to recover lost data without paying, under some circumstances. Most noteworthy, it doesn’t delete shadow volume copies, which are manual or automatic backups or snapshots of files. If the feature is enabled, every time you make a change to a file, it’s copied there. Many ransomware variants delete these copies so the victim doesn’t have the option of restoring from the shadow copies and it’s surprising that Bad Rabbit’s creators forgot about this point. Regardless, don’t hedge your bets on this, it only works in circumstances where the feature has been enabled beforehand and if full-disk encryption has not yet taken place.

Steering Clear of Ransomware

Now that ransomware is back from its summer hiatus, it seems that people need a refresher course on how to steer clear of it. So let’s have a quick rundown of the basics, shall we?

  • Make sure you are running the most recent version of your operating system. We have said it a million times before — using outdated apps, operating systems, add-ons and software, instantly raises your risk of getting ransomware, or any other malware, on your computer or devices
  • Use an ad blocker which blocks all ads, infected and fake ones as well
  • Get set up with a solid backup plan. Don’t rely on Google Drive to save the day if you need to recreate everything from the bottom up. Invest in an online backup plan and get yourself an external drive as well – and keep it somewhere else in case of a physical disaster
  • Run a reputable anti-malware program like Reason Core Security that blocks all malware that tries to make its way onto your system
  • Never click links in emails unless you’re 100 percent sure they are safe. One of the main ways ransomware is delivered is via phishing emails, so this point is critical

For now, it’s safe to say that you probably won’t get infected with Bad Rabbit, unless of course, you happen to be a high-profile target in the Ukraine or Russia. But even though you’re safe this time, you might not be so lucky next time, so remember the pointers above and put them into practice, pronto. And if there is any silver lining here, at least now you have a clever Halloween costume idea if you needed one.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s