Just months after Wannacrypt crippled the world in fear, a new ransomware has emerged across Europe and a few other places. This new ransomware is called Bad Rabbit; it uses brute-forcing NTLM login credentials in Windows and a bunch of other exploits to encrypt files on an affected computer.
Victims of this ransomware are being redirected to a site on the darknet from legitimate news websites. Users are prompted to install the malware which is disguised as Adobe Flash player. Upon installation, all their files get encrypted, and the victim is asked for a payment of 0.05 Bitcoin ($276.85 at the time of publication) to gain access to the encrypted files. Kaspersky Lab has identified almost 200 targets in Turkey and Germany.
When the disguised program is installed, the malicious DLL is saved as C:\Windows\which, in turn, installs the malicious executable file. The spyware also installs a modified bootloader, so users lose complete access to their computer.
“What’s more,acts as a typical file-encrypting ransomware: it finds the victim’s data files using an embedded extension list and encrypts them using the criminal’s public RSA-2048 key,” said researchers at Kaspersky Lab.
A tweet by Group-IB shows a countdown timer displayed along with the message on-screen. Victims have around 40 hours to make payment, and once the timer overflows, the ransom will increase.
— Group-IB (@GroupIB_GIB) October 24, 2017
Interfax Ltd, a major news company in Russia, tweeted that their systems have been affected. The Ukrainian Computer Emergency Response Team said Odessa Airport was also hit. Also, there are reports of Bad Rabbit attack in Germany, Turkey, Poland, Bulgaria and South Korea.
Security researcher Amit Serper tweeted a precautionary measure for Bad Rabbit which you can try out to ensure that you do not get affected.
I can confirm – Vaccination for #badrabbit:
Create the following files c:\windows\infpub.dat && c:\windows\cscc.dat – remove ALL PERMISSIONS (inheritance) and you are now vaccinated. 🙂 pic.twitter.com/5sXIyX3QJl
— Amit Serper (@0xAmit) October 24, 2017
Perpetrators of this attack have not been identified and no workaround has been found for infected computers. It is advisable not to pay any money to get data back as there’s no guarantee that the hacker will oblige; it also encourages them.