A new variant of Bad Rabbit Ransomware ravages many of Eastern European countries, compromising both government agencies and private companies. At the time of writing this ransom threat reached out several countries like Russia, Ukraine, Bulgaria and Turkey. According to a recent research report some of the confirmed victims are the Odessa airport in Ukraine, the metro system in Kiev in Ukraine, the Ministry of Infrastructure of Ukraine and three Russian news agencies, including Interfax and Fontanka. CERT Ukraine issued a warning notification and warned the Ukrainian companies about this new ransomware fire. The speed of the outbreak of Bad Rabbit is spreading similar to the malicious NotPetya and WannaCry which has been noticed in June and May respectively.
Bad Rabbit Ransomware Transfered to your system through fake Flash update
The malware researchers reported Bad Rabbit Ransomware has been spreading quickly via fake Flash update packages. Several other tools that helps this ransomware to move laterally inside of a network which may describe why the ransom threat so quickly across agencies in a very short span of time. A recent report of Kaspersky the company telemetry records disclosed the ransomware Bad Rabbit Ransomware spread via a “drive-by-attack” and victims are redirected to the infected websites that sends or deliver fake Flash update links or notifications using legitimate news websites. Based on a latest analysis the Bad Rabbit Ransomware uses Mimikatz to extract essential information from local computers memory along with a list of hard coded credentials. The malware tries significantly to access servers and workstations on the same network using SMB.
A disk coder is used for Bad Rabbit Ransomware which seems similar to Petya and NotPetya ransomware. This Bad Rabbit Ransomware firstly encrypts your files and then after replaces the Master Boot Record (MBR). Once the malware completed its action then your PC gets rebooted and got stuck into the custom MBR ransom note. The ransom not looks very similar to the Petya ransom note. According to ransom note the attackers behind the ransomware asks from the victims to visit a website on the Tor network to make a payment of 0.05 Bitcoins (about $280). The attackers provide only 40 hours to pay otherwise ransom fees gets doubled.
From above mentioned specifications this Bad Rabbit Ransomware looks like a DiskCryptor similar to HDDCryptor Ransomware that targeted San Francisco’s Muni transportations service in the starting of this year. The source code of the malware also contains various Game Of Thrones references to characters like Grayworm. Furthermore, this ransomware also setup three scheduled tasks called Dragon, Rhaegal and Viserion, which are the names of three dragons from Game Of Thrones. This is not only the ransom threat which uses the name of the Game Of Thrones, there is various others. So you should stay alert and protected from these fake alerts and ransomware attacks.