Bad rabbit ransomware is spreading like wildfire across Europe. It has already affected over 200 major organizations mainly in Russia, Ukraine, Turkey and Germany. It is a targeted ransomware attack against major corporate networks. Once infected, the attackers are asking for 0.05 bitcoin (~$285) from victims to unlock their systems. Here is what the ransomware message looks like for affected people.
How is it spreading
It was spread as a dropper program by performing drive-by attacks. In Ukraine, the attack hit critical infrastructure organizations in the transport sector. One of the victims is the Odessa airport, which is located in the third-largest city in the country, causing flight delays due to manual processing of passenger data. Ukraine also saw its subway system affected, causing payment delays on customer service terminals, although trains continued to run normally.
To reach user endpoints, Bad Rabbit’s operators compromised news and media sites to have visitors redirected to malicious landing pages they control. On those pages, users were advised to install an Adobe Flash update, at which point a malicious download took place, delivering the malware dropper in what’s called a drive-by attack. As a result, users do not even know that their system is being infected until they see the attack message.
Once it is inside the system, Bad Rabbit scans the internal network for open Server Message Block (SMB). SMB is Microsoft Window’s protocol for transferring data between connected Windows computer, to bypass security over file-sharing connections. It thereby enables remote code execution on Windows clients and servers.
Bad Rabbit then tries a hardcoded list of commonly used credentials to drop malware and also uses Mimikatz post-exploitation tool to extract credentials from the affected systems.
Those who went ahead and executed the file unknowingly unleashed the malware on their endpoints and saw their files encrypted. The malware operators’ note demands 0.05 BTC in ransom to unlock the files.
How to be safe
Users should make sure they do the following steps to be safe from this attack:
- make sure you have the most updated version of Operating system installed.
- Make sure you have an antivirus suite in your system
- Be aware of phishing emails, malicious adverts on websites and third-party apps.
- Keep a backup of all your valuable information in an external device that is not connected to the network.
One thought on “‘Bad Rabbit’ ransomware hits Russia and other parts of Europe”