NotPetya Malware Refuses to Let Up – Latest Malware Variant Bad Rabbit Targets Business Owners and is Spreading Fast
Since Tuesday, reports of the Bad Rabbit ransomware virus have been flashing across news screens everywhere. The virus started its rampage in Europe, bubbling up in Russia, Ukraine, Turkey and Germany. However, the full extent of the virus’ reach still isn’t fully understood.
The virus targeted institutional giants in Ukraine including the Ministry of Infrastructure and Kiev’s public transportation system. Russia experienced similar hits to critical agencies including Interfax, a local news service that recently issued a statement to announce they had been hacked and were working to restore their network. Initial reports about the Bad Rabbit virus note that the virus is specifically attacking media outlets, and an additional Russian newsgroup, Fontanka.ru, was also affected.
Bad Rabbit Touches Down in the USA: US Department of Homeland Security Issues Warning
Since starting its path of destruction in Europe, several instances of the Bad Rabbit virus have now been reported in the US. Given the recent history of cybersecurity concerns, especially around Russia, the US Department of Homeland Security (DHS) isn’t taking any chances.
DHS released a statement earlier this week in reference to the attack:
“US-CERT has received multiple reports of Bad Rabbit ransomware infections in many countries around the world. This suspected variant of Petya ransomware is malicious software that infects a computer and restricts user access to the infected machine until a ransom is paid to unlock it. US-CERT discourages individuals and organizations from paying the ransom, as this does not guarantee that access will be restored. Using unpatched and unsupported software may increase the risk of proliferation of cybersecurity threats, such as ransomware.”
DHS urged individuals and businesses to take notice and be vigilant in the face of this latest malware attack. To combat the threat, DHS is urging IT professionals to review US-CERT Alerts TA16-181A and TA17-132A, each of which describes recent ransomware events.
Experts Weigh In: Is Bad Rabbit a Nasty By-Product of NotPetya or ExPetr?
Cybersecurity experts at Kaspersky and ESET have both noted that Bad Rabbit seems to have clear ties to recent malware pandemics NotPetya and/or ExPetr.
“Our researchers have detected a number of compromised websites – all news or media sites,” said Russian security company Kaspersky – now embroiled in a spying controversy, in a recent blog. “Based on our investigation, this is a targeted attack against corporate networks, using methods similar to those used in the ExPetr attack. However, we cannot confirm officially that it is related to ExPetr.”
Regardless of its origins, experts agree that Bad Rabbit now joins NotPetya and WannaCry as another of 2017’s major ransomware-style malware epidemics.
How Does It Work? Understanding How Bad Rabbit Takes Hold of Business Networks
Unlike other recent malware epidemics, which spread more passively, Bad Rabbit requires potential victims to download and execute a fraudulent Adobe Flash installation file. Once the phony download and installation is executed, machines and networks become infected with the malware.
In an interesting turn of events, it seems whoever created Bad Rabbit is a fan of the HBO hit, Game of Thrones. The malware infection makes reference to character Daenerys Targaryen and her dragons as well as Grey Worm, another beloved character. However, Bad Rabbit is anything but fantasy or fiction. The impacts of the infection are real-life disasters for any business or organization infected.
Computers infected with the malware direct the user to a .onion Tor domain where they are forced to pay .05 bitcoin (roughly $276 USD in exchange for the decryption and restored access to their data. Even worse? The domain then flashes a countdown on the screen, giving victims limited time to act before the ransom price increases. While this year has seen some instances of destructive malware disguised as ransomware, experts are still not full sure if Bad Rabbit actually collects a ransom and decrypts data in every case of infection. However, in a test case, a researcher was successful in having data restored once the ransom was paid.
Responding to Bad Rabbit: What to Do If You Get Infected and How to Prevent the Virus Proactively
First and foremost, as a rule of thumb, anyone infected is discouraged from paying the ransom. For one, there is absolutely no guarantee that the payment will restore data access. Secondly, much like the refusal to negotiate with terrorists, refusing to pay the ransom discourages criminals from using similar attacks in the future. If victims don’t pay, cybercriminals will realize their attempts at robbery are useless.
In terms of preventing the attack, some researchers have introduced promising options for proactive vaccination. Early Wednesday morning, a Massachusetts researcher from Cybereason, claimed that he has a vaccine to protect customers from Bad Rabbit. Following this short series of fool-proof steps will automatically vaccinate your company’s computers, laptops, and other devices, keeping them safe from Bad Rabbit invasion:
First, create two files: C:Windowsinfpub.dat& C:Windowscscc.dat.
Then, go into the each of the file’s properties and remove all permissions to both files. When doing this, remove the inheritance so the files do not inherit the perms of the C:Windows folder.
As news around Bad Rabbit continues to develop, US business professionals should be on high alert – working deliberately to monitor and protect their business networks. Be wary of Adobe Flash download prompts. Talk to other business professionals to spread the word. If you’re worried you’ve been affected or could be affected, reach out to a local cybersecurity expert for guidance and consultation. When professionals band together proactively, cybercriminals can and will be stopping in their tracks. Until then, stay alert and stay vigilant.