My title Page contents

Bad Rabbit Ransomware Outbreak: Things You Need to Know

When news broke of the third major ransomware outbreak of the year, there was lots of confusion. Now the dust has settled, we can dig down into what exactly “Bad Rabbit” is.

As per the media reports, many computers have been encrypted with this cyber-attack. Public sources have confirmed that Kiev Metro’s computer systems along with Odessa airport as well as other numerous organizations from Russia have been affected. The malware used for this cyber-attack was “Disk Coder.D” – a new variant of the ransomware which popularly ran by the name of “Petya”. The previous cyber-attack by Disk Coder left damages on a global scale in June 2017.

ESET’s telemetry system has reported numerous occurrences of Disk Coder. D within Russia and Ukraine however, there are detections of this cyber-attack on computers from Turkey, Bulgaria and a few other countries as well.

A comprehensive analysis of this malware is currently being worked upon by ESET’s security researchers. As per their preliminary findings, Disk Coder. D uses the Mimikatz tool to extract the credentials from affected systems. Their findings and analysis are ongoing, and we will keep you informed as soon as further details are revealed.

The ESET telemetry system also informs that Ukraine accounts only for 12.2% from the total number of times they saw Bad Rabbit infiltration. Following are the remaining statistics:

Russia: 65%

Ukraine: 12.2%

Bulgaria: 10.2%

Turkey: 6.4%

Japan: 3.8%

Other: 2.4%

The distribution of countries was compromised by Bad Rabbit accordingly. Interestingly, all these countries were hit at the same time. It is quite likely that the group already had their foot inside the network of the affected organizations.

It’s definitely ransomware

Those unfortunate enough to fall victim to the attack quickly realized what had happened because the ransomware isn’t subtle – it presents victims with a ransom note telling them their files are “no longer accessible” and “no one will be able to recover them without our decryption service”. Victims are directed to a Tor payment page and are presented with a countdown timer. Pay within the first 40 hours or so, they’re told, and the payment for decrypting files is 0.05 bitcoin – around $285. Those who don’t pay the ransom before the timer reaches zero are told the fee will go up and they’ll have to pay more. The encryption uses DiskCryptor, which is open source legitimate and software used for full drive encryption. Keys are generated using CryptGenRandom and then protected by a hardcoded RSA 2048 public key.

It’s based on Petya/Not Petya

If the ransom note looks familiar, that’s because it’s almost identical to the one victims of June’s Petya outbreak saw. The similarities aren’t just cosmetic either – Bad Rabbit shares behind-the-scenes elements with Petya too.

Analysis by researchers at Crowdstrike has found that Bad Rabbit and NotPetya’s DLL (dynamic link library) share 67 percent of the same code, indicating the two ransomware variants are closely related, potentially even the work of the same threat actor.

The attack has hit high profile organizations in Russia and Eastern Europe

Researchers have found a long list of countries of have fallen victim to the outbreak – including Russia, Ukraine, Germany, Turkey, Poland and South Korea. Three media organizations in Russia, as well as Russian news agency Interfax, have all declared file-encrypting malware or “hacker attacks” – being brought offline by the campaign. Other high-profile organizations in the affected regions include Odessa International Airport and Kiev Metro. This has led the Computer Emergency Response of Ukraine to post that the “possible start of a new wave of cyber-attacks to Ukraine’s information resources” had occurred.

It may have had selected targets

When WannaCry broke, systems all across the world were affected by an apparent indiscriminate attack. Bad Rabbit, on the other hand, might have targeted corporate networks.

Researchers at ESET have backed this idea up, claiming that the script injected into infected websites can determine if the visitor is of interest and then add the contents page – if the target is seen as suitable for the infection.

It spreads via a fake Flash update on compromised websites

The main way Bad Rabbit spreads is drive-by downloads on hacked websites. No exploits are used, rather visitors to compromised websites – some of which have been compromised since June – are told that they need to install a Flash update. Of course, this is no Flash update, but a dropper for the malicious install. Infected websites – mostly based in Russia, Bulgaria, and Turkey – are compromised by having JavaScript injected in their HTML body or in one of their.js files.

It can spread laterally across networks

Like Petya, the Bad Rabbit Ransomware attack contains an SMB component which allows it to move laterally across an infected network and propagate without user interaction.

The spread of Bad Rabbit is made easy by simple username and password combinations which it can exploit to force its way across networks. This list of weak passwords is the often-seen easy-to-guess passwords – such as 12345 combinations or having a password set as “password”.

It doesn’t use EternalBlue

When Bad Rabbit first appeared, some suggested that like WannaCry, it exploited the EternalBlue exploit to spread. However, this now doesn’t appear to be the case. “We currently have no evidence that the EternalBlue exploit is being utilized to spread the infection,” Martin Lee, Technical Lead for Security Research at Talos told ZDNet.

It contains Game of Thrones references

Whoever it behind Bad Rabbit, they appear to be a fan of Game of Thrones: the code contains references to Viserion, Drogon, and Rhaegal, the dragons which feature in television series and the novels it is based on. The authors of the code are therefore not doing much to change the stereotypical image of hackers being geeks and nerds.

There’s steps you can take to keep safe

At this moment in time, nobody knows if it is yet possible to decrypt files that are locked by Bad Rabbit. Some might suggest to pay the ransom and see what happens… Bad idea.

It’s quite reasonable to think that paying nearly $300 is worth paying for what might be highly important and priceless files, but paying the ransom almost never results in regaining access, nor does it help the fight against ransomware – an attacker will keep targeting as long as they’re seeing returns.

Spyware and Viruses

Process of Detecting Virus Infection

Virus Infection In today’s world, viruses have become a constant threat to public health. Viruses can spread quickly and have the potential to cause significant harm to individuals and entire populations. Identifying a viral infection is crucial to determine the best course of treatment and prevent the spread of the virus. In this article, we […]

Read More
Computers and Functions
Spyware and Viruses

Types Computers and Functions

Computers and Functions we do many things with computers, from working, entertaining ourselves, searching for information, and so on. When talking about a computer, many people imagine a device with a monitor, keyboard and mouse that are usually placed on the table. Though, the term computer can be applied to almost any device that has […]

Read More
Spyware and Viruses

NSIS Type of LockBit 3.0 Ransomware Disguised as Job

In February and June, the ASEC Analysis team posted in the blog about LockBit 2.0 ransomware being distributed via email. In this blog, we will introduce the new version of the LockBit 3.0 ransomware that is still being distributed through similar method. While in June there were multiple cases of the ransomware being distributed disguised as […]

Read More
Open chat
Iam Guest Posting Service
I Have 600 Site
Status : Indexed All
Good DA : 40-60
Different Nice I Category
Drip Feed Allowed
I can instant publish

My Service :
1. I will do your orders maximum of 1X24 hours, if at the time i’am online. I will do a maximum of 1 hour and the process is complete.
2. If any of you orders are not completed a maximum of 1x24 hours, you do not have to pay me, or free.
3. For the weekend, I usually online, that weekend when i’am not online, it means i’am working Monday.
4. For the payment, maximum payed one day after published live link.
5. Payment via paypal account
If you interesting, please reply
Thank You