show image

Bad Rabbit ransomware: who has been hit and how does it spread?

A fresh ransomware attack has apparently struck news organisations in Russia and infrastructure providers in Ukraine. Dubbed Bad Rabbit, the virus appears to be less contagious than the Petya/NotPetya attack that emerged in the same region in June, but its shares some similarities.

Who has been hit?

According to Kaspersky Lab, most of the organisations hit by the ransomware, dubbed Bad Rabbit, are Russian. “We have also seen similar but fewer attacks in Ukraine, Turkey and Germany,” the security’s firm’s Vyacheslav Zakorzhevsky said in a statement. It has been reported in Bulgaria, Poland and South Korea too.

One of the most high profile Russian targets is the Interfax news agency, which announced on Facebook that its servers had been hit. Russian security firm Group-IB said in a tweet that it was aware of at least three affected newsrooms.

Meanwhile in Ukraine, Odessa airport, the Kiev Metro and the Ministry of Infrastructure all appear to have been struck by the ransomware.

How does it spread?

“Compromised but legitimate websites have an embedded script that pushes the victim to the download URL,” Trend Micro’s VP for security Research Rik Ferguson told NS Tech. “The download URL downloads an executable file that the user has to execute themselves. This is why it’s much lower priority than WannaCry and NotPetya; there’s still a victim interaction. It masquerades as a Flash update.”

Another reason the ransomware spreads more slowly than WannaCry and NotPetya is that it does not exploit EternalBlue or EternalRocks vulnerabilities in Windows.

“It doesn’t have those propagation capabilities but it does have propagation capabilities based on legitimate sysadmin-type tools, brute forcing of username and passwords with built in credential lists and so on, and capabilities for credential theft,” said Ferguson. “So it is designed to spread but it’s designed to spread in a much more controlled fashion than WannaCry and NotPetya.”

Once the file has been downloaded on to a Windows PC, it drops encryptor software into the Windows folder and a copy of itself into the system’s default admin share. Like NotPetya, it relies partly on the open-source Mimikatz tools to extract credentials. “It will then propagate over the network using the credentials,” said Ferguson.

What’s it designed to do?

Unlike NotPetya, Bad Rabbit appears to be properly engineered to raise funds, demanding that victims pay 0.05 bitcoin (£217) to have their files decrypted. “Bad Rabbit, on the face of it, looks more like it’s financially motivated in that there is a payment mechanism, there are keys, the keys are not destroyed by the software itself, which was the case with NotPetya,” said Ferguson.

Security experts always encourage victims to restore their files from backups rather than pay the ransom, which encourages future attacks.