A new ransomware strain, dubbed Bad Rabbit, has affected several media outlets in Russia and is quickly spreading to other parts of the world.
Hackers are using fake Adobe Flash updates to inject the Bad Rabbit ransomware to computers and are demanding 0.05 Bitcoin as ransom.
What exactly is Bad Rabbit?
First detected by Kaspersky Lab, Bad Rabbit isn't an exploit-driven attack but is a drive-by one, infecting websites with fake Adobe Flash installers. Once a user downloads the installer and runs it manually, he/she gets infected by the ransomware which proceeds to encrypt files stored on the computer.
The security firm adds that several big Russian media outlets like Interfax news agency and Fontanka.ru have been victimised by the ransomware. At the same time, the ransomware has likely spread its wings to other countries like Ukraine, Turkey, and Germany. According to recent reports, the ransomware may also have affected the Odessa airport and the Kiev metro system.
Initial analysis by cyber experts suggests that Bad Rabbit could be a variant of NotPetya, a sophisticated ransomware that affected operations at global firms like Danish shipping company Maersk, Russian oil giant Rosneft, aircraft manufacturer Antonov, US pharmaceutical giant Merck as well as its subsidiary Merck Sharp & Dohme (MSD) in the UK.
Kaspersky Lab says even though Bad Rabbit is being used by hackers to gain control over corporate servers like NotPetya was in June, it doesn't have any evidence yet to prove that the two ransomware strains are related.
However, Steven Malone, Cyber Resilience Expert at Mimecast, says that Big Rabbit is indeed a variant of NotPetya since both of them use the same SMB flaws to spread laterally once inside a network.
'This latest outbreak confirms that attackers will reuse old code as long as it still has success. Indications are that this new variant continues to have success,' says Tony Rowan, Chief Security Consultant at SentinelOne.
What do the hackers want?
Hackers behind the ransomware are demanding 0.05 bitcoins (£213) from affected people and firms. Such users are being asked to transfer the sum to a payment address, following which they will be sent decryption keys to unlock their files.
What must you do to protect your files from Bad Rabbit?
Kaspersky Lab is asking users to back up their data at the earliest to ensure they don't lose all their data to hackers. Affected users are also being asked not to pay ransom to the hackers as there's no guarantee that the latter would stick to their word.
If you aren't affected yet, you must prevent the execution of files c:\windows\infpub.dat and c:\Windows\cscc.dat to stop the ransomware from entering your system. To prevent it from spreading to other systems on your corporate network, you must also disable Windows Management Instrumentation (WMI), a device and applications management system in older versions of Windows like Windows 2000, Windows XP, or Windows Server 2003.
Thanks to cyber security researchers Amit Serper and Mike Iacovacci, there is now a detailed step-by-step procedure to prevent your systems from getting infected by Bad Rabbit. These are as follows:
1. Use your administrator privilege to create files infpub.dat and cscc.dat in c:\windows. This can be done using cmd.
2. Remove all permissions enjoyed by the two files by right-clicking each file and selecting Properties > Security > Advanced. If your computer runs Windows 10, you can click the “disable inheritance button”.
Considering that most antivirus software have been unable to detect Big Rabbit so far, following these suggestions would help you protect your device and the data within until your antivirus provider brings in new patches to plug the threat. However, considering that the ransomware is similar to the one used earlier this year, it'll be better to implement security solutions on your own.
'Given that the propagation mechanism is based on EternalBlue, it surprises me that so many people haven't patched their systems. Even more, they continue to rely on the legacy AV products which these types of malware evade so easily,' Rowan adds.
'Some might say – why after WannaCry and NotPetya are systems still unpatched? The issue of patching is irrelevant when looking at a potentially self-replicating malware like Bad Rabbit because in any large network there will be some unpatched devices. By protecting file servers (e.g. deploying File Firewall solutions) rather than focusing on endpoints organizations can minimize the effect of such incident and avoid disruption to business,' says Amichai Shulman, CTO at Imperva.