A new ransomware virus dubbed “Bad Rabbit” is spreading like wildfire in Europe, already infecting over 200 major organisations primarily in Russia, Ukraine, Turkey and Germany in just a few hours.
Dubbed “Bad Rabbit,” the virus is reportedly a new Petya-like targeted ransomware attack against corporate networks, demanding 0.05 bitcoin (~ $285) as ransom from victims to unlock their systems.
According to a preliminary analysis provided by Kaspersky, the virus was circulated via drive-by download attacks, using fake Adobe Flash players installer to lure victims’ in to install malware unwittingly.
“No exploits were used, so the victim would have to manually execute the malware dropper, which pretends to be an Adobe Flash installer. Kaspersky said they’ve already “detected a number of compromised websites, all of which were news or media websites.”
However, security researchers at ESET have detected Bad Rabbit malware as ‘Win32/Diskcoder.D’ — a new variant of Petya ransomware, also known as Petrwrap, NotPetya, exPetr and GoldenEye.
Bad Rabbit ransomware uses DiskCryptor, an open source full-drive encryption software, to encrypt files on infected computers.
ESET thinks that the new wave of ransomware attacks is not using the EternalBlue exploit — the leaked SMB vulnerability used by WannaCry and Petya ransomware to spread through networks.
Instead, the virus scans internal networks for open SMB shares, tries a hardcoded list of commonly used credentials to drop malware, and also uses Mimikatz post-exploitation tool to extract credentials from the affected systems.
The ransom note, shown above, asks victims to log into a Tor onion website to make the payment, which displays a countdown of 40 hours before the price of decryption goes up.
The affected organisations include Russian news agencies Interfax and Fontanka, payment systems on the Kiev Metro, Odessa International Airport and the Ministry of Infrastructure of Ukraine.
Researchers are still analysing Bad Rabbit ransomware to check if there is a way to decrypt computers without paying ransomware and how to stop it from spreading further.