Bad Rabbit ransomware rapidly spreads, Ukraine and Russia most targeted countries

“On October 24th we observed notifications of mass attacks with ransomware called Bad Rabbit. It has been targeting organizations and consumers, mostly in Russia but there have also been reports of victims in Ukraine. Here’s what a ransom message looks like for the unlucky victims:” reported Kaspersky Lab.

“No exploits were used, so the victim would have to manually execute the malware dropper, which pretends to be an Adobe Flash installer. We’ve detected a number of compromised websites, all of which were news or media websites.” continues the analysis published by Kaspersky Lab.

The experts from security firm ESET tracked the Bad Rabbit ransomware as ‘Win32/Diskcoder.D‘. According to ESET, the malware is a new variant of Petya ransomware. it relies on the open-source encryption software DiskCryptor, files are encrypted RSA 2048 keys.

The researchers excluded the new ransomware uses the EternalBlue exploit, instead, it first scans the target network for open SMB shares, tries to access them using hardcoded list of credentials to drop the malicious code, then uses the Mimikatz tool to extract credentials from the target.

“Win32/Diskcoder.D has the ability to spread via SMB. As opposed to some public claims, it does notuse the EthernalBlue vulnerability like the Win32/Diskcoder.C (Not-Petya) outbreak. First, it scans internal network for open SMB shares.” reads the analysis published by ESET.

“Mimikatz is launched on the compromised computer to harvest credentials. A hardcoded list username and password is also present.”

Researchers from ESET reported that the payment website is hosted on the Tor network, the ransom note provided instructions to make the payment while displaying a countdown of 40 hours before the price of decryption increase.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Bad Rabbit ransomware, Cybercrime)

[adrotate banner=”5″]

[adrotate banner=”13″]