{"id":19887,"date":"2017-10-24T12:42:49","date_gmt":"2017-10-24T16:42:49","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=19887"},"modified":"2019-11-15T06:44:20","modified_gmt":"2019-11-15T11:44:20","slug":"bad-rabbit-ransomware","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/bad-rabbit-ransomware\/19887\/","title":{"rendered":"Bad Rabbit: A new ransomware epidemic is on the rise"},"content":{"rendered":"

The post is being updated as our experts find new details on the malware.<\/b><\/p>\n

We\u2019ve already seen two large-scale ransomware attacks this year \u2014 we\u2019re talking about the infamous WannaCr<\/a>y and ExPetr<\/a> (also known as Petya and NotPetya). It seems that a third attack is on the rise: The new malware is called Bad Rabbit \u2014 at least, that\u2019s the name indicated by the darknet website linked in the ransom note.<\/p>\n

What is known at the moment is that Bad Rabbit ransomware has infected several big Russian media outlets, with Interfax news agency and Fontanka.ru among the confirmed victims of the malware. Odessa International Airport has reported on a cyberattack on its information system, though whether it\u2019s the same attack is not yet clear.<\/p>\n

The criminals behind the Bad Rabbit attack are demanding 0.05 bitcoin as ransom \u2014 that\u2019s roughly $280 at the current exchange rate.<\/p>\n

\"\"<\/a><\/p>\n

According to our findings, it is a drive-by attack: Victims download a fake Adobe Flash installer from infected websites and manually launch the .exe file, thus infecting themselves. Our researchers have detected a number of compromised websites, all news or media sites.<\/p>\n

According to our data, most of the victims of these attacks are located in Russia. We have also seen similar but fewer attacks in Ukraine, Turkey, and Germany. This ransomware has infected devices through a number of hacked Russian media websites. Based on our investigation, this is a targeted attack against corporate networks, using methods similar to those used in the ExPetr attack. <\/p>\n

Our experts have collected enough evidence to link the Bad Rabbit attack with the ExPetr attack<\/a>, which happened in June of this year. According to their analysis, some of the code used in Bad Rabbit was previously spotted in ExPetr.<\/p>\n

Other similarities include the same list of domains used for the drive-by attack (some of those domains were hacked back in June but not used) as well as the same techniques used for spreading the malware throughout corporate networks \u2014 both attacks used Windows Management Instrumentation Command-line (WMIC) for that purpose. However, there is a difference: Unlike ExPetr, Bad Rabbit doesn\u2019t use the EternalBlue exploit for the infection. But it uses the EternalRomance exploit to move laterally on the local network.<\/p>\n

Our experts think the same threat actor is behind both attacks and that this threat actor was preparing the Bad Rabbit attack by July 2017, or even earlier. However, unlike ExPetr, Bad Rabbit seems to be not a wiper, but just ransomware: It encrypts files of some types and installs a modified bootloader, thus preventing the PC from booting normally. Because it is not a wiper, the malefactors behind it potentially have the ability to decrypt the password, which, in turn, is needed to decrypt files and allow the computer to boot the operating system.<\/p>\n

Unfortunately, our experts say that there is no way to get the encrypted files back without knowing the encryption key. However, if for some reason Bad Rabbit didn\u2019t encrypt the whole disk, it is possible to retrieve the files from the shadow copies (if the shadow copies were enabled prior to the infection). We continue our investigation. In the meantime, you can find more technical details in this post on Securelist<\/a> and learn about ransomware protection more generally here<\/a>.<\/p>\n

Kaspersky Lab\u2019s products detect the attack with the following verdicts:<\/p>\n