Bad Rabbit is the latest ransomware outbreak, and it started to spread and infect systems on Oct. 24.
It's the third major one this year, following the likes of WannaCry and Petya.
The Ransom Note
Victims of Bad Rabbit definitely know that they've been hit by ransomware because the perpetrators left nothing to the imagination with their ransom note (pictured). It tells them that their files are "no longer accessible" and advises them to "don't waste time" looking for a solution because the encrypted data isn't recoverable without their decryption service.
How Much Is The Ransom?
The people behind Bad Rabbit demand payment in the form of the cryptocurrency Bitcoin, asking for 0.05 BTC. That translates to about $285.
What's worse is they aren't giving the victims time to decide, setting a 40-hour timer before the ransom increases.
How Bad Rabbit Spreads
Bad Rabbit tricks users into installing the ransomware by way of fake Adobe Flash update prompts. On compromised websites, users will see a pop-up that tells them to update Flash, and when they click on Install, that's when the malware starts locking up systems.
The culprits hacked websites by injecting JavaScript into their HTML body or .js file, and from the look of things, they have been setting things up since July 2017.
It appears the attackers behind #Badrabbit have been busy setting up their infection network on hacked sites since at least July 2017. pic.twitter.com/fV5U1FeVtR
— Costin Raiu (@craiu) October 24, 2017
More than that, it employs an SMB component that allows it to spread even when users don't interact with it, Cisco Talos says.
"This is yet another example of how effective ransomware can be delivered leveraging secondary propagation methods such as SMB to proliferate."
However, the researchers note that there's no evidence of Bad Rabbit using the EternalBlue exploit to spread, despite initial reports.
Who Are Bad Rabbit's Targets?
The targets are mostly organizations in Russia, with small-scale attacks carried out in Ukraine, Turkey, and Germany, according to Kaspersky Lab.
Numerous reports making rounds online say that almost 200 targets, counting victims in Poland, South Korea, Bulgaria, and the United States.
What To Do When Infected?
Security experts recommend that victims shouldn't pay the ransom. While the locked-up files may be important, users shouldn't give in to it because, in doing so, it'll propagate such ransomware.
That said, it's unclear whether or not there's a viable way to decrypt the data, which highlights the importance of backups.
How To Prevent Getting Infected
Kaspersky Lab has two suggestions to avoid falling victim to Bad Rabbit. The first is to block the execution of files "c:\windows\infpub.dat" and "c:\Windows\cscc.dat." Other security researchers also sing a similar tune:
I can confirm - Vaccination for #badrabbit: Create the following files c:\windows\infpub.dat && c:\windows\cscc.dat - remove ALL PERMISSIONS (inheritance) and you are now vaccinated. :) pic.twitter.com/5sXIyX3QJl — Amit Serper (@0xAmit) October 24, 2017
The second is to disable WMI service, which will prevent the malware from spreading in the local network.
Bonus: Game of Thrones Fan
On an interesting note, the wrongdoers seem to be big fans of Game of Thrones. The code has some strings that reference to characters in the television series and the books by George R. R. Martin, which are Viserion, Drogon, and Rhaegal, the three iconic dragons of the story.
