This year alone, there has already been three large outbreaks involving online security and breaches.
Recently a new ransomware campaign has begun, and the targets have been high profile, for example Russia and Eastern Europe. This new threat has been named Bad Rabbit. The appearance of Bad Rabbit had been a grand event, simultaneously hitting organisations causing those affected to reminisce about the attacks earlier this year, like WannaCry and Petya.
So let’s break down what Bad Rabbit is
- Russia, Ukraine, Germany, Turkey, Poland, South Korea, have all had reports of Bad Rabbit hoping out of it’s hole and causing a stir.
- Bad Rabbit sent out file-encrypting malware to at least three media organisations in Russia, while also taking one news agency offline for a time.
- Other organisations include the Odessa International Airport and Kiev Metro.
- This far it is thought that 200 targets have been infected, and continue to be causing problems for infected organisations.
Bad Rabbit is a ransomware, which means once your infected, your at the mercy of the host of the hostile program.
- Once the ransomware is active there is a note that takes up the screen informing the reader that all files are locked out unless payment is received and the acquired password is typed in.
- Victims are directed to a Tor payment page, where further instructions lie. The hackers demand payment through bitcoins and give a timer, to enhance the tension, saying the price will rise once the timer reaches zero.
- The encryption used in the ransomware is called DiskCryptor. DiskCryptor is a open source software that is also legitimate and widely used. Keys are generated using CryptGenRandom and then protected by a hardcoded RSA 2048 public key.
Bad Rabbit takes it’s inspiration from one of the earlier malicious outbreaks known as Petya.
- There is speculation that this ransomware is an alteration of the Petya dynamic link library. This being said, means there is a strong correlation between Bad Rabbit and Petya in terms of functionality/looks and possibly both stemming from the same group/person.
- The way Bad Rabbit has spread is through drive-by downloads on hacked websites. A website is hacked and will begin to feature a false flash update that will begin to download if clicked at all.
- It is estimated that some site have been hacked since June, featuring Bad Rabbits strong presence.
How far does Bad Rabbit go?
- It’s important to know that Bad Rabbit spreads laterally across networks.
- This means that Bad Rabbit can propogate without user interaction. So while your counting the timer down, the ransomeware is spreading across infected networks.
- The ability to spread laterally across networks is due to the list given to Bad Rabbit, that has combinations of simple usernames and passwords which it uses to force itself into networks.
Bad Rabbit may have targets in mind.
- Researchers have noticed a curious movement of Bad Rabbit, suggesting it has specific locations in mind, rather than indiscriminately infecting. Corporate networks seem to have the most focus, possibly suggesting that corporations are the enemy of the hacker/group.
Last bits of information.
- There is still no claim as to who is behind this ransomware. Some believe that it’s the same group involved with the Petya virus.
- Some believe it is not a Russian group due to Russia being under alot of heat from Bad Rabbit, and customarily Eastern Europe cyber-criminals avoid attacking the “Motherland”.
- The code of Bad Rabbit has references to Game of Thrones.
- It is possible to protect yourself from becoming infected. A way to prevent the execution of the file is to block ‘c: \ windows \ infpub.dat, C: \ Windows \ cscc.dat.’ to help avoid infection at all.