A new destructive threat dubbed “Bad Rabbit” – a ransomware – began spreading across the world earlier this week.
The virus has already targeted and exposed scores of computers in Ukraine, Russia, Turkey, Germany, and is now raging across Eastern Europe.
After NotPetya and WannaCry, this is the third ransomware attack of 2017. Much like its predecessors, the worm uses a leaked NSA exploit to spread its stranglehold across networks.
According to reports, the Bad Rabbit ransomware is particularly targeting corporate networks with several media outlets and organizations already falling victim.
However, individuals are just as likely to be hit with the attack as it spreads by asking users to update Adobe Flash Player – which is used by 99% of internet-enabled computers!
What Is Bad Rabbit Ransomware, Exactly?
The worm is yet another example of ransomware being used by cyber criminals for extorting cash. Like other ransomware attacks, Bad Rabbit encrypts the contents of a victim’s system and demands a payment to unlock it.
As mentioned earlier, it infects users by disguising itself as an Adobe Flash Player update, and we’ll be explaining all of that and more below.
How Does Bad Rabbit Ransomware Work?
The Bad Rabbit ransomware enters networks by convincing users to install a phony Flash Player update placed on several hacked websites.
After successfully infecting a machine, it uses MimiKatz – an open source tool that retrieves Windows credentials – to harvest any login credentials off the infected machine and tries to use them to spread to other machines on the network.
If the brute force attacks aren’t successful, Bad Rabbit resorts to using the NSA’s EternalRomance exploit to spread through the network. Once it spreads as far as it can, it uses DiskCryptor to encrypt all files on the infected Windows machines. It then overwrites the PC’s Master Boot Record and reboots the machine, after which a ransom note is displayed asking the victim to send 0.05 Bitcoin.
Game of Thrones enthusiasts might find it bemusing to know that three of the malicious files are named after three dragons in the popular TV series (Viserion, Rhaegal, and Drogon), whereas part of the installer is named after a military commander in the TV series (Gray Worm).
One thing is for certain though, whoever created the ransomware appears to be a huge Game of Thrones fan.
How to Prevent Bad Rabbit Ransomware Attack?
When it comes to protecting yourself from Bad Rabbit Ransomware, there are certain steps that can be taken to keep the ransomware from attacking your system. You’re advised to take the following preventative measures for ransomware protection:
- Keep your systems fully patched and updated.
- Don’t execute or download any Adobe Flash update.
- Back up all your files.
- According to Amit Serper, Cybereason’s principal security researcher, creating two files in c:\windows (infpub.dat and cscc.dat) and removing all their permissions can immunize a machine against the Bad Rabbit ransomware. However, since the method is yet to be proven foolproof, you should proceed at your own risk.
I can confirm – Vaccination for #badrabbit:
Create the following files c:\windows\infpub.dat && c:\windows\cscc.dat – remove ALL PERMISSIONS (inheritance) and you are now vaccinated. 🙂 pic.twitter.com/5sXIyX3QJl
— Amit Serper WWHF (@0xAmit) October 24, 2017
For the best protection against Bad Rabbit ransomware, you’re advised to get PureVPN as our built-in antivirus successfully detects and blocks Bad Rabbit before it wreaks havoc on your system. This is not just us claiming that our solution works, have a look at what others are saying:
— Alex Beaven (@Alex_B1971) October 25, 2017