Bad Rabbit – New Ransomware Virus

Organizations in Russia, Ukraine and a few hours later also the U.S. are under siege from Bad Rabbit, a new strain of ransomware with similarities to NotPetya.

The outbreak started Tuesday and froze computer systems in several European countries, and began spreading to the U.S., the latest in a series of attacks.

Department of Homeland Security’s Computer Emergency Readiness Team issued an alert saying it had received “multiple reports” of infections.

Bad Rabbit Starts With Social Engineering

The outbreak appears to have started via files on hacked Russian media websites, using the popular social engineering trick of pretending to be an Adobe Flash installer. The ransomware demands a payment of 0.05 bitcoin, or about $275, from its victim, though it isn’t clear whether paying the ransom unlocks a computer’s files. You have just 40 hours to pay.

Bad Rabbit shares some of the same code as the Petya virus that caused major disruptions to global corporations in June this year, said Liam O’Murchu, a researcher with the antivirus vendor Symantec Corp.
Based on analysis by ESET, Emsisoft, and Fox-IT, Bad Rabbit uses Mimikatz to extract credentials from the local computer’s memory, and along with a list of hard-coded credentials, it tries to access servers and workstations on the same network via SMB and WebDAV.

The hardcoded creds are hidden inside the code and include predictable usernames such asroot, guest and administrator, and passwords straight out of a worst passwords list. (Note To Self: all user passwords need to be strong, step all employees through a strong password training module ASAP.)

As for Bad Rabbit, the ransomware is a so-called disk coder, similar to Petya and NotPetya. Bad Rabbit first encrypts files on the user’s computer and then replaces the MBR (Master Boot Record).

Ouch, that basically bricks the workstation. 

Courtesy of KnowB4

Contact us today to review your passwords and to ensure your systems are secure.