A new ransomware attack, referred to as “Bad Rabbit,” has globally spread, impacting over 200 organizations, with major consequences noted in Russia, Ukraine, Turkey, and Germany within a short timeframe. This targeted attack closely resembles the Petya ransomware, demanding a ransom of 0.05 bitcoin, approximately $285, to restore access to compromised systems.
Initial assessments from Kaspersky reveal that the malware utilizes drive-by download tactics, luring victims with a counterfeit Adobe Flash player installer. This method tricked users into unintentionally installing the malware on their devices. Notably, Kaspersky emphasized that the attack required victims to manually execute the malicious executable, allowing for a unique vector of initial access without exploiting vulnerabilities.
ESET security researchers further identified Bad Rabbit as ‘Win32/Diskcoder.D,’ a variant linked to previous ransomware such as Petya and its derivatives, including Petrwrap and NotPetya. Unlike its predecessors, Bad Rabbit employs DiskCryptor—a full-disk encryption tool—to secure data on infected systems using advanced RSA 2048 encryption keys, significantly raising the stakes for affected organizations.
Additionally, ESET clarified that this ransomware variant does not leverage the infamous EternalBlue exploit, which previously enabled the rapid propagation of attacks like WannaCry and the original Petya. Instead, Bad Rabbit initiates its spread by scanning internal networks for accessible SMB shares and attempting to deploy malware using a hardcoded list of commonly utilized credentials. It can also employ post-exploitation techniques using tools like Mimikatz to extract sensitive information from compromised systems.
Victims of this recent encryptor include established Russian media outlets like Interfax and Fontanka, as well as key infrastructures such as the Kiev Metro and Odessa International Airport, marking a significant breach of critical assets. As the investigation continues, cybersecurity experts are actively exploring potential decryption methods, aiming to provide solutions without compliance to ransom demands.
In response to the increasing frequency and sophistication of ransomware threats, professionals are urged to adopt proactive measures to safeguard their networks. Kaspersky suggests disabling the WMI service to mitigate the risk of such malware spreading across organizational networks. Best practices include scrutinizing unsolicited emails, avoiding downloads from unverified sources, and maintaining a robust data backup strategy.
Additionally, organizations are strongly encouraged to utilize effective antivirus solutions and regularly update them to stay ahead of evolving cyber threats. As cybersecurity concerns continue to escalate, business owners must prioritize awareness and preparedness to protect their valuable assets against a myriad of cyber risks.
As the landscape of ransomware evolves, staying informed through credible channels and following cybersecurity advisories is paramount. For those interested in ongoing updates regarding such incidents, staying engaged through platforms like Google News, Twitter, and LinkedIn is recommended.