The Bad Rabbit ransomware attack that hit Russia and Ukraine on Tuesday has been linked and considered to be a new variant of Petya. It bears similarities to the WannaCry and Petya outbreaks earlier this year.
The list of organizations reportedly hit by the Bad Rabbit ransomware includes Russian media outlets Interfax and Fontanka, the airport in Odessa, the Kiev subway, the State Aviation Service of Ukraine and the Transport Ministry of Ukraine.
Infected computers display a screen which says that their files have been encrypted and instructs them to access a website over the Tor anonymity network. Computers infected with the malware direct the user to a .onion Tor domain. The Tor site tells victims to pay 0.05 bitcoin, worth roughly $283, to obtain the key needed to recover the encrypted files. If the ransom is not paid within two days the price goes up.
Distribution of Bad Rabbit Ransomware:
The malware is still being analyzed but the initial analysis states that it spreads through fake flash player updates. The malicious file has been delivered from compromised websites in Denmark, Ireland, Bulgaria, Turkey and Russia.
Researchers pointed out that the victim has to manually launch the fake Flash installer in order to be affected. The file needs to obtain admin privileges which in turn causes Windows to display a User Account Control (UAC) prompt. Once executed, the dropper copies the main module (infpub.dat) to the Windows folder and executes it through rundll32.exe, a Windows component used to run code in DLL files.
The creator of Bad Rabbit appears to be a Game of Thrones fan as scheduled tasks have been given dragon names from the “Game of Thrones” TV show. These are used to execute other malware components and reboot the system. The ransom note is displayed in both text files dropped onto the system and via a boot locker screen.
Bad Rabbit encryption: Once it infects the system it encrypts over 100 file types which includes archives, backups, databases, images, documents, source code, and virtual disk images. The encrypted files are given a “.encrypted” extension. It also clears security logs and deletes the update sequence number (USN) so as file recovery can be prevented.
The attackers have used the AES-128-CBC cipher and an RSA-2048 public key. It’s still unclear whether files can be recovered without paying the ransom or not. However researchers confirmed that data encrypted by Bad Rabbit is recoverable with the right key.
Prevention measures: Security researcher Amit Serper has come up with an early “vaccine” against the malware, which should inoculate systems from becoming infected. Step-by-step instructions with snaps are available on https://www.cybereason.com/blog/cybereason-researcher-discovers-vaccine-for-badrabbit-ransomware