Bad Rabbit Ransomware in attack

Bad Rabbit appeared on October 24, mainly at our eastern neighbors - in Russia and Ukraine. A number of attacks were also recorded in other Eastern European countries, as well as Germany and Turkey. Of course, as usually happens in such situations, subsequent attack victims are located in other places in the world, eg in the USA and South Korea.

Victims of the attack fell, among others, the metro in Kiev, the airport in Odessa, the Russian Interfax, Fontanka and other press agencies. The author or authors of the ransomware are still in the shadows and despite some suspicions they have not been indicated. Attackers removed traces of their activity from infected servers when researchers from various companies analyzed malicious code.


Map spreading ransomare Bad Rabbit. Source .

Bad Rabbit spread through crafted copies of Flash Player downloaded from infected sites. The second method of collecting the pest is the watering hole attack technique, where the offenders target the group of users and reach it by infecting one of them by gaining access to the network (eg at the place of employment).

After installing the ransomware, it steals passwords and username, and of course encrypts files. Interestingly, in contrast to "competition", Bad Rabbit does not change the names of encrypted files. Analysts have also found that IP addresses in the subnet are listed, probably in order to find the address of the web server.

According to some researchers, Bad Rabbit may be a clone or variant of the well-known Petya ransomware. There are quite significant differences, such as the lack of use of EternalBlue and DoublePulsar. The discussed ransomware uses Mimikatz and a built-in list of default users and passwords.

The financial demands of the Bad Rabbit authors can be regarded as not excessive, demanding 0.05 Bitcoin or about USD 275 US.


Information with a ransom demand.

Microsoft has prepared a short article telling how to protect themselves. There is also information about the vaccine, according to which it is enough to create two files c: \ windows \ infpub.dat and c: \ windows \ cscc.dat (and by the way remove all permissions).



Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.