Following the worldwide WannaCry attacks in May and the spread of Petya/NotPetya in June, a new type of infection dubbed Bad Rabbit is now making its way through Europe. In addition, TeleBots could have also deployed the ransomware as a way to destroy evidence of previous undetected intrusions.
The leading targets appear to be in Ukraine and Russia - CNN reports that victims include the Russian media groups Interfax and Fontanka, the Kiev Metro, Odessa International Airport and Ukraine's Ministry of Infrastructure.
Chester Wisniewski, principal research scientist, Sophos, said, "It appears this latest variation, the so-called Bad Rabbit ransomware, is being distributed via a fake Adobe Flash Player installer file". In response the Ukrainian national computer emergency team issued a warning about Bad Rabbit.
"Server side logic can determine if the visitor is of interest and then add content to the page". The ransomware relies on people downloading a commonly used programme update in order to infect themselves, plus early indications showed many anti-virus systems can't detect it.
The attack resembles the ExPetr assault that occurred earlier this year. Included is a list of common weak passwords (god, sex, secret. love, 123456, Admin123 etc.) the malware uses for testing logins. However, unlike NotPetya, it doesn't use EternalBlue and is more widely spread.
The sites that were seen redirecting to BadRabbit were a variety of sites that are based in Russia, Bulgaria, and Turkey.
Adobe told the Journal that the attack does not use an actual Flash update to deliver the payload. "Indications are that this new variant continues to have success".
Once inside a network Bad Rabbit spreads by collecting user credentials with the Mimikatz tool as well as using hard coded credentials, says Palo Alto Networks and Cisco Systems Talos threat intelligence service, for spreading across the network.
For those interested in the technical aspects of how Bad Rabbit works, RiskIQ Inc. has a good rundown here.
When the disguised program is installed, the malicious DLL is saved as C:\Windows\infpub.dat which, in turn, installs the malicious executable file.
Computers infected with the malware direct users to a TOR (The Onion Router) domain where they are asked to pay.05 Bitcoin (around $276) in exchange for the return of their data. That malware was basically impossible to remove, even for users who attempted to actually pay the ransom, leading to suspicions it had been created more to cause damage and destruction than raise revenue for its developers.
One thing that we can discern so far is the hackers behind the attacks seem to be Game of Thrones fans, as at least four scheduled tasks within the ransomware are named after the popular series (Viserion, Drogon, Rhaegal and GrayWorm).