Extensive Bad Rabbit Illegal Computer Software Drive-By Attacks Informed

Over a couple of days, hundreds of reports pertaining to cyberattacks have been received which involve Bad Rabbit ransomware – A latest illegal computer software variation with resemblances to both HDDCryptor and NotPetya. HDDCryptor was the ransomware variation which encrypted the system of San Francisco Muni in November 2016. NotPetya was used in extensive attacks in June, and it was a wiper instead of ransomware.

Several NotPetya attacks happened through an undermined accountancy software upgrade. The Bad Rabbit attacks also utilize a theoretical software upgrade for contagion. The attacks thus far have involved a bogus Flash Player upgrade in a drive-by download attack.

Instead of using malvertising to guide users to malevolent sites where the ransomware is copied, the perpetrators behind this operation have hacked genuine sites and loaded hateful JavaScript, which shows a notice to immediately update Flash Player. Replying to that notice will see an executable copied – install_flash_player.exe – that installs the illegal computer software.

The illegal computer software can’t perform without any user communication. The user should execute the flash player upgrade for the illegal computer software to be installed. So far all of the attacks are known to have contained drive-by copies from genuine news and media websites. Sites in Denmark, Russia, and Ireland are understood to have been undermined and are being used to show the Flash Player Alerts.

Bad Rabbit uses AES encryption for records, and after that encrypts the keys using an RSA-2048 public key. After encrypting files, the MBR is substituted and the infested computer is restarted. The infested device shows a demand note which requests for a payment of 0.5 Bitcoin within 40 hours. The demanded amount will rise if the deadline is missed.

Bad Rabbit illegal computer software can also spread swiftly over a network and can infect several devices. In May the WannaCry ransomware attacks also saw contagions spread crosswise. Instead of using the NSA’s ETERNALBLUE exploit which WannaCry used, the Bad Rabbit contains hardcoded identifications which are utilized over SMB to contaminate other appliances. Moreover, Mimikatz is utilized to harvest identifications from undermined appliances which are then utilized through SMB.

The latest malware variation has claimed over 200 victims, including Fontanka, Russian news agencies Interfax, Odessa International Airport, the Kiev Metro, and Ukraine’s Ministry of Infrastructure. Attacks seem to be focused on Ukraine and Russia, even though they have spread to Europe – Germany, Turkey, and Bulgaria, – and Japan.

Kaspersky Lab and ESET have issued IOCs, with the former proposing an easy method to block Bad Rabbit attacks.

On installation, the ransomware generates two files –

C:\Windows\cscc.dat and C:\windows\infpub.dat – Kaspersky Lab proposes checking the implementation of files with those routes.

It has also been proposed that making those 2 files, in those places, and removing write, read, and perform consents on the files will also stop the ransomware from encrypting records. Companies must also send out an alert electronic mail to workers about Bad Rabbit ransomware, cautioning them not to copy Flash Player updates.