A new massive ransomware campaign is rapidly spreading around Europe, the malware dubbed Bad Rabbit has already affected over 200 major organizations mainly in Russia, Ukraine, Germany, Japan, and Turkey in a few hours.
The Bad Rabbit ransomware has infected several big Russian media outlets, the Interfax news agency and Fontanka.ru confirmed they were hit by the malware.
According to Kaspersky, the Odessa International Airport has reported on a cyberattack on its information system, but it is still unclear it is the same attack.
“In some of the companies, the work has been completely paralysed – servers and workstations are encrypted,” head of Russian cyber-security firm Group-IB, Ilya Sachkov, told the TASS news agency.
According to the malware experts, Bad Rabbit ransomware is Petya-like malware that is targeting corporate networks.
The malicious code demands 0.05 bitcoin ransom (~ $280) from victims to unlock their systems.
Experts from Kaspersky that analyzed the malware, believe the Dab Rabbit ransomware is spread via drive-by download attacks, attackers are using fake Adobe Flash players installer to trick victims into installing the malware.
“On October 24th we observed notifications of mass attacks with ransomware called Bad Rabbit. It has been targeting organizations and consumers, mostly in Russia but there have also been reports of victims in Ukraine. Here’s what a ransom message looks like for the unlucky victims:” reported Kaspersky Lab.
“No exploits were used, so the victim would have to manually execute the malware dropper, which pretends to be an Adobe Flash installer. We’ve detected a number of compromised websites, all of which were news or media websites.” continues the analysis published by Kaspersky Lab.
The experts from security firm ESET tracked the Bad Rabbit ransomware as ‘Win32/Diskcoder.D‘. According to ESET, the malware is a new variant of Petya ransomware. it relies on the open-source encryption software DiskCryptor, files are encrypted RSA 2048 keys.
The researchers excluded the new ransomware uses the EternalBlue exploit, instead, it first scans the target network for open SMB shares, tries to access them using hardcoded list of credentials to drop the malicious code, then uses the Mimikatz tool to extract credentials from the target.
“Win32/Diskcoder.D has the ability to spread via SMB. As opposed to some public claims, it does notuse the EthernalBlue vulnerability like the Win32/Diskcoder.C (Not-Petya) outbreak. First, it scans internal network for open SMB shares.” reads the analysis published by ESET.
“Mimikatz is launched on the compromised computer to harvest credentials. A hardcoded list username and password is also present.”
— Jiri Kropac (@jiriatvirlab) October 24, 2017
Researchers from ESET reported that the payment website is hosted on the Tor network, the ransom note provided instructions to make the payment while displaying a countdown of 40 hours before the price of decryption increase.
Security experts are still analyzing the Bad Rabbit ransomware, meantime, malware researchers from Kaspersky are suggesting to disable WMI service to prevent the malware from spreading over the target network and to block the execution of files c:\windows\infpub.dat and c:\Windows\cscc.dat.
As usual stay vigilant when opening unsolicited mail containing documents or clicking on embedded links.