Everything We Know About BadRabbit And How To Protect Yourself
2017 has been a big year for ransomware outbreaks. First, we saw WannaCry and Petya and now a new form of ransomware has come onto the scene. Like other forms of ransomware, BadRabbit locks away files and demands affected users pay a ransom in order to unlock them. However, many experts have cautioned victims not to pay as it is unlikely that the people behind Bad Rabbit will uphold their end of the bargain.
In their official advisory, the United States Computer Emergency Readiness Team wrote, “US-CERT discourages individuals and organizations from paying the ransom, as this does not guarantee that access will be restored.”
The ransomers are demanding 0.5 bitcoins which currently works out to $275. The ransom message also displays a 41-hour timer warning users that, if they don’t pay within the specified time period, then their ransom will increase.
Where did BadRabbit Come From
Bad Rabbit appears to have originated in eastern Europe with a number of prominent Russian companies being affected by the attack. Current reports state that at least three media outlets, multiple banks, an airport, and the Ministry of Infrastructure for Ukraine, among others, have fallen victim to the attack. While the attack does appear to have originated in eastern Europe, it has spread across continents. As of this writing, reports have confirmed that at least 200 organizations in have been attacked. These organizations are located in the following countries.
- South Korea
- United States
In their report, Kaspersky Lab noted that this new strain of ransomware was similar to previous Petya ransomware which also affected eastern Europe.
In terms of spreading the attack, reports indicate that it was done via fake Adobe Flash updates. Users who visited the infected sites were told to update their Flash Player. Of course, instead of getting Adobe, they got Bad Rabbit.
— Costin Raiu (@craiu) October 24, 2017
How BadRabbit was spread
In their official report on the Badrabbit malware, Cisco-Talos wrote, “Talos assesses with high confidence that a fake Flash Player update is being delivered via a drive-by-download and compromising systems. The sites that were seen redirecting to BadRabbit were a variety of sites that are based in Russia, Bulgaria, and Turkey.”
On the surface, this outbreak might bear a resemblance to the EternalBlue exploit that the Shadow Brokers released earlier this year. EternalBlue has been used in multiple cases of ransomware after being stolen from the NSA. However, there is currently no evidence that BadRabbit uses EternalBlue.
Protecting your Computer
Benjamin Franklin once said that “an ounce of prevention is worth a pound of cure” so the best thing users can do to protect themselves is take precautions against malware. Never download files from unverified sources, make sure you use an anti-virus software and, as annoying as Windows updates can be, try to keep your machine as up to date as possible.
Additionally, there is a “vaccine” for BadRabbit that can protect your computer from the malware.
I can confirm – Vaccination for #badrabbit:
Create the following files c:windowsinfpub.dat && c:windowscscc.dat – remove ALL PERMISSIONS (inheritance) and you are now vaccinated. 🙂 pic.twitter.com/5sXIyX3QJl
— Amit Scareper 🎃 (@0xAmit) October 24, 2017
Eric is an avid tech junkie, gamer, and comic fan. When he's not working on his PC, you'll find him at your local comic book shop.