Bad Rabbit Ransomware Targeting Primarily Russian and Ukrainian Organizations

Last updated: 30 October 2017

A previously unknown family of ransomware called Bad Rabbit is targeting organizations primarily based in Russia and Ukraine.

On 24 October, Russian security firm Kaspersky Lab confirmed it had received “notifications of mass attacks” with the ransomware. Russia news and media organizations, including the St. Petersburg-based along with Interfax, were among the hardest hit by the new crypto-malware. Bad Rabbit also struck several Ukrainian entities including Kiev’s metro system and an airport in Ukraine’s Odessa.

Bad Rabbit might not have spread even further, however. Researchers at ESET say that the ransomware, which appears to be a variant of Diskcoder, might have reached Turkey and Bulgaria. Concurrently, Gizmodo reports that the threat made it as far away as Poland, South Korea, and even the United States.

Kaspersky Lab has detected about 200 companies that Bad Rabbit has victimized thus far.

Unlike other recent malware outbreaks such as WannaCry and NotPetya, Bad Rabbit did not leverage the Windows-based “EternalBlue” software vulnerability to infect unprotected systems. Kaspersky Lab explains the ransomware instead used a disguise to target organizations:

“The ransomware dropper was distributed with the help of drive-by attacks. While the target is visiting a legitimate website, a malware dropper is being downloaded from the threat actor’s infrastructure. No exploits were used, so the victim would have to manually execute the malware dropper, which pretends to be an Adobe Flash installer.”

Upon successful infection, Bad Rabbit encrypts a computer’s files. It then alters the Master Boot Record (MBR), reboots the computer, and displays a ransom note demanding 0.05 Bitcoins in exchange for the decryption key. That ransom demand is equivalent to approximately $300 at the time of this writing.

In its analysis of the ransomware, American internet security company Malwarebytes detected several similarities between Bad Rabbit and NotPetya. The two threats, for instance, both add scheduled tasks for the system reboot, attack the same kinds of file extensions, and leverage similar code to spread the malware to other machines on the local area network (LAN). The screen containing Bad Rabbit’s ransom note also bears a striking resemblance to that displayed by NotPetya.

But the two ransomware strains are ultimately different beasts. Aside from their different targets and means of distribution, Bad Rabbit and NotPetya do not share the same goal. The former is a ransomware that successfully decrypts a victim’s hard drive when they enter in the correct decryption key, reports The Guardian. By contrast, NotPetya is actually a form of “wiper” malware in that users can’t recover their affected data.

With that said, security expert Jason Hart has some important advice for Bad Rabbit victims who are thinking about paying the ransom:

“Neither businesses nor individuals should pay ransoms to unlock any files that have been affected by a ransomware attack, as this incentivizes and rewards these kinds of attacks. In order to prevent becoming a victim of a ransomware attack, data should be backed-up and encrypted and stored away from the network the rest of the data is stored on. This means that, in the event that a ransomware attack locks someone out of their files, they will have secure copies available. By doing this, the victim would be able to return to business-as-usual quickly and efficiently.”

Companies can further protect themselves against attacks like Bad Rabbit by implementing two-factor authentication, encrypting all sensitive data, securely storing their encryption keys, and keeping their systems up-to-date.

Protect what matters, where it matters – Discover how at Secure the Breach.

One thought on “Bad Rabbit Ransomware Targeting Primarily Russian and Ukrainian Organizations

  1. Do you mean that as long as your data is stored offline encrypted and can be restored, it is OK for ransomware to encrypt your machines? what do you have in your portfolio to prevent these attacks? How does MFA help in preventing a ransomware attack?

    PS: At least use a Bad Rabbit image, your image is that of WannaCry. 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *