Bad Rabbit has been likened to WannaCry and NotPetya, but this variant requires the victim to download a maliciously loaded Adobe Flash installer file.
Russia and the Ukraine have experienced attacks from a new strain of malware called Bad Rabbit, hitting major infrastructure targets including a Ukrainian airport.
The Ukraine also experienced an attack on a Kiev underground railway, with the attack proving comparable to the notorious NotPetya and WannaCry attacks that rocked the world earlier this year.
Also found to be active in Poland and South Korea, the attack has been able to debilitate servers by encrypting them. Despite this, the US computer emergency readiness team said: “discourages individuals and organisations from paying the ransom, as this does not guarantee that access will be restored,” as reported by the BBC.
Kaspersky has been tracking the new malware variant, in a blog post the company said: “What is known at the moment is that Bad Rabbit ransomware has infected several big Russian media outlets, with Interfax news agency and Fontanka.ru among the confirmed victims of the malware. Odessa International Airport has reported on a cyberattack on its information system, though whether it’s the same attack is not yet clear.”
A degree of human error is required for the attack to be successful, as it gains entry when a loaded Adobe Flash installer file is downloaded by the victim.
Jakub Kroustek, Malware Analyst at Avast, said: “We’re classifying Bad Rabbit as malware, with code resembling NotPetya. We’ve detected Bad Rabbit in Russia, Ukraine, Poland, and South Korea so far. At the moment, Russia and Ukraine appear to be the most heavily impacted countries. The total prevalence of known samples is quite low compared to the other “common” strains. We are continuing to monitor the situation and will share updates as available. ”
Following the impact of yet another powerful malware variant, 2017 is proving to be a year of grievous cyber-attacks, the likes of which have not yet been experienced at such a sustained rate, bearing similarities to one another.
Andrew Clarke, EMEA Director at One Identity, said: “Keys are generated using CryptGenRandom and then protected by hardcoded RSA 2048 public key. A powerful upgrade now being unleashed with organisations in Russia, Ukraine, Bulgaria and Turkey at the top of the hit list. This time a fake “flash” update appears to be implicated but it seems that as the organisations were hit around the same time that the attackers likely had a foot in their network already.”
Explaining how the Bad Rabbit malware takes hold, Clarke goes on to explain how organisations could potentially protect themselves from the full force of the new attack.
“Once hit; their data gets encrypted and for a bitcoin fee of 0.05 — approximately $280 – the affected company has the chance to acquire the decryption keys but only before a count-down of 41 hours expires! Despite industry warnings issued after the Petya, and not-Petya outbreaks earlier this year, this variant which spreads laterally using SMB shares – could be blocked by denying this communication channel [ports 137, 138, 139 and 445] on their firewalls,” said