Security researchers reported that they have found a brand new strain of malware called Bad Rabbit. The new ransomware is spreading very fast in Russia and Ukraine mostly.
The malware experts suggest that the Bad Rabbit ransomware will spread around Europe anytime soon. By now, the threat has affected more than 200 major organizations mainly in Russia, Ukraine, Germany, Japan, and Turkey in a few hours.
The Odessa International Airport has also reported on a cyberattack on its information system, however, it is not clear if it is the same attack yet.
“In some of the companies, the work has been completely paralysed – servers and workstations are encrypted,” the head of Russian cyber-security firm Group-IB, Ilya Sachkov, said.
The researchers say that the Bad Rabbit ransomware is Petya-like malware which is usually targeting corporate networks.
The ransomware creators demand 0.05 bitcoin ransom (~ $280) from victims to unlock their systems.
After analyzing Bad Rabbit, Kaspersky Lab conclude that the ransomware is spread via drive-by download attacks, and hackers use fake Adobe Flash players installer to trick victims into installing the malware.
“On October 24th we observed notifications of mass attacks with ransomware called Bad Rabbit. It has been targeting organizations and consumers, mostly in Russia but there have also been reports of victims in Ukraine.” the Kaspersky Lab experts said.
“No exploits were used, so the victim would have to manually execute the malware dropper, which pretends to be an Adobe Flash installer. We’ve detected a number of compromised websites, all of which were news or media websites.” the analysis published by Kaspersky Lab states.
According to the ESET security experts, the Bad Rabbit ransomware was tracked as ‘Win32/Diskcoder.D‘. The ESET team considers the malware as a new version of Petya ransomware, which relies on the open-source encryption software DiskCryptor, and the files are encrypted RSA 2048 keys.
The malware experts excluded the Bad Rabbit ransomware uses the EternalBlue exploit. Instead, the threat scans the target network for open SMB shares, tries to access them using hardcoded list of credentials to drop the malicious code, and uses the Mimikatz tool to extract credentials from the target.
“Win32/Diskcoder.D has the ability to spread via SMB. As opposed to some public claims, it does notuse the EthernalBlue vulnerability like the Win32/Diskcoder.C (Not-Petya) outbreak. First, it scans internal network for open SMB shares.” the ESET analysis reads.
The ESET experts said that the payment website is hosted on the Tor network, and the ransom note provided instructions to make the payment while displaying a countdown of 40 hours before the price of decryption increase.
While security researchers continue to analyze the Bad Rabbit ransomware, the Kaspersky Lab experts advise users to disable WMI service in order to prevent the malware from spreading over the target network and to block the execution of files c:\windows\infpub.dat and c:\Windows\cscc.dat.