A Big Ransomware Attack ‘Bad Rabbit’ is on the Rise

A Big Ransomware Attack ‘Bad Rabbit’ is on the Rise

We’ve already seen two large-scale ransomware attacks this year — we’re talking about the infamous WannaCry and ExPetr (also known as Petya and NotPetya). It seems that a third attack is on the rise: The new malware is called Bad Rabbit — at least, that’s the name indicated by the darknet website linked in the ransom note. 

Kaspersky Lab researchers have found that the Bad Rabbit ransomware attack has clear ties to the ExPetr attack that took place in June this year. 

According to their analysis, the hashing algorithm used in the Bad Rabbit attack is similar to the one used by ExPetr.  Further, experts have found that both attacks use the same domains; and similarities in the respective source codes indicate that the new attack is linked to the creators of ExPetr.  Like ExPetr, Bad Rabbit tries to grab credentials from the system memory and spread within the corporate network by WMIC. However, researchers have found neither EternalBlue nor EternalRomance exploits in the Bad Rabbit attack; both of them were used in ExPetr.

The investigation shows that the attackers behind this operation have been preparing for it since at least July 2017, setting up their infection network on hacked sites, which are mainly media and news information resources. 

According to Kaspersky Lab’s research, Bad Rabbit hit almost 200 targets, located in Russia, Ukraine, Turkey and Germany. Bad Rabbit ransomware has infected several big Russian media outlets, with Interfax news agency and Fontanka.ru among the confirmed victims of the malware. Odessa International Airport has reported on a cyberattack on its information system, though whether it’s the same attack is not yet clear. All of the attacks took place on October 24, and no new attacks have been detected since then. Researchers note that once the infection became more widespread and security companies started to investigate, the attackers immediately removed the malicious code they had added to the hacked websites. The criminals behind the Bad Rabbit attack are demanding 0.05 bitcoin as ransom — that’s roughly $280 at the current exchange rate. 

According to our research, the ransomware is spread via a drive-by attack. The ransomware dropper is distributed from hxxp://1dnscontrol[.]com/flash_install.php. 

Also, according to our telemetry data, victims are redirected to this malware web resource from legitimate news websites. The downloaded file named install_flash_player.exe needs to be manually launched by the victim. To operate correctly, it needs elevated administrative privileges which it attempts to obtain using the standard UAC prompt. If started, it will save the malicious DLL as C:Windowsinfpub.dat and launch it using rundll32.

Kaspersky Lab experts continue to analyze Bad Rabbit to find possible flaws in its cryptographic routines.  

Kaspersky Lab’s products successfully detect the ransomware, and have been doing so proactively since the beginning of the attack.

Related Stories

No stories found.
logo
DIGITAL TERMINAL
digitalterminal.in