It looks as if 2017 will be remembered as the year of ransomware. Following the worldwide WannaCry attacks in May and the spread of Petya/NotPetya in June, a new type of infection dubbed Bad Rabbit is now making its way through Europe.
ESET security researchers have identified the file-encrypting software used in the new attacks as Diskcoder.D, a new variant of the NotPetya ransomware. Much like this year’s NotPetya incident, the initial wave of infections is mostly hitting Russia and Ukraine, though instances have appeared in Turkey, Germany, Bulgaria, and other countries.
Bad Rabbit has infected at least three Russian media organizations, including newswire Interfax and news group Fontanka.ru. Ukraine’s Odessa airport, Kiev Metro, and Ministry of Infrastructure have also been affected.
"The dangerous aspect is the fact that it was able to infect many institutions which constitute critical infrastructure in such a short timeframe," says ESET malware researcher Robert Lipovsky, "which indicates a well-coordinated attack."
While researchers have linked Bad Rabbit to NotPetya’s creators, it isn’t spread in the same way. Victims visit booby-trapped legitimate sites, “all of which were news or media websites,” where a malware dropper—a file that launches the malware—is downloaded onto their system. The dropper appears as an Adobe Flash installer, meaning targets are essentially infecting themselves.
#BadRabbit #cryptor requires 0.05 BTC for decryption. #ransomware pic.twitter.com/OtdiLRKnOL
— Group-IB (@GroupIB_GIB) October 24, 2017
ESET says the ransomware attempts to spread to computers inside the same local network as an infected machine using the Windows data sharing protocol SMB and post-exploitation tool Mimikatz.
Bad Rabbit infects a number of file types, including the common .doc, .docx., and .jpg. Victims are asked for 0.05 Bitcoins (around $286) if they want the decryption key. A 41-hour timer counts down to the moment when the ransom price goes up. As with all forms of ransomware, paying the money is no guarantee of getting your data back.
An early vaccine has been released for the ransomware, which should prevent infection.
Vaccination for the Ukraine round 2? Wanna stop #badrabbit?
— Amit Serper (@0xAmit) October 24, 2017
Create a file called c:\windows\infpub.dat and remove all write permissions for it. This should keep the malware from encrypting. Testing it now... pic.twitter.com/3MSSH8WKPb
Interestingly, there are several references to TV shows and movies in Bad Rabbit’s code. Game of Thrones fans noticed the names of Daenerys Targaryen’s three dragons—Drogon, Rhaegal, and Viserion—appearing in the code, as well as the name of character Grey Worm. Additionally, the default credentials it uses to target computers include the passwords ‘love,’ ’secret,’ ’sex,’ and ‘god.’ According to classic 1995 movie Hackers, these are the four most common passwords—though in reality, the most popular is still ‘123456’.
