There has been a litany of reports of cyberattacks using Bad Rabbit ransomware in the last 24 hours.
Bad Rabbit is a newly identified ransomware variant with similarities to both NotPetya and HDDCryptor. NotPetya was employed in widespread cyberattacks last June, and was a wiper rather than ransomware. HDDCryptor was the ransomware software that encrypted the San Francisco Muni’s information technology system in November 2016.
Many of the NotPetya attacks were launched in tandem with a compromised accountancy software update. The Bad Rabbit attacks also piggyback a supposed software update for infection. The cyberattacks so far have used the guise of being a Flash Player update in a drive-by download attack.
Rather than use malvertising to send users to malicious websites where the ransomware is downloaded, the instigators behind this attack have hacked legitimate websites and loaded malicious JavaScript, which shows a warning to urgently update Flash Player. Responding to that warning will result in an executable downloaded – install_flash_player.exe – which installs the ransomware.
The ransomware cannot be installed without any user interaction. The user must install the flash player update for the ransomware to be downloaded. All of the cyberattacks so far are thought to have involved drive-by downloads from legitimate media and news websites. Sites in Russia, Denmark and Ireland are believed to have been compromised and are being used to show the Flash Player warnings.
Bad Rabbit ransomware utilizes AES encryption for files and then encrypts the keys with a RSA-2048 public key. Once the files have been encrypted, the Master Boot Record (MBR) is replaced and the infected computer or device is rebooted. The infected device shows a ransom note which requests for a payment of 0.5 Bitcoin ($280) to be issued within 40 hours. The ransom amount will keep going up if the deadline for payment is not adhered to.
Bad Rabbit ransomware is also capable of spreading quickly within a network and infecting multiple computers. The WannaCry ransomware cybrerattacks last May also saw infections spread laterally. Rather than use the NSA’s ETERNALBLUE exploit that was employed by WannaCry, the Bad Rabbit ransomware includes hardcoded credentials that are used over SMB to attack other devices. Mimikatz is used to obtain credentials from compromised computers which are then used via SMB.
The new malware attack has affected more than 200 people, including the Kiev Metro, Odessa International Airport, Russian news agencies Interfax and Fontanka and the Ministry of Infrastructure of Ukraine. Attacks seem to be focused in Russia and Ukraine, although they have been identified in Europe – Turkey, Bulgaria, and Germany – and Japan.
ESET and Kaspersky Lab have released IOCs, with the latter suggesting an easy way to prevent Bad Rabbit attacks.
The ransomware creates two files when it is installed – C:\windows\infpub.dat and C:\Windows\cscc.dat – Kaspersky Lab suggests controlling execution of files with those paths.
It has also been claimed that creating those two files, in those locations, and disabling read, write, and execute permissions on the files will also stop the ransomware from encrypting files. Businesses should also broadcast out a warning alert to employees about Bad Rabbit ransomware, advising them not to install Flash Player updates.