Bad Rabbit ransomware spreads across Eastern Europe with echoes of WannaCry and Petya
A new strain of ransomware -- dubbed Bad Rabbit -- has struck in Russia, Ukraine and other parts of Eastern Europe. It is thought to be a variation on Petya due to a number of similarities, and it is wreaking havoc with media outlets and transport systems, including an airport in Ukraine, and the underground in Kiev.
Like many other forms of malware, Bad Rabbit was initially spread through a fake Flash installer, but it was then able to spread via networks to hit a larger number of machines. The spread of the ransomware is further facilitated by using the open source Mimikatz for extracting credentials, and DiskCryptor for encrypting data.
The Bad Rabbit outbreak is described as an ongoing attack, and the Ukrainian branch of CERT -- CERT-AU -- has issued a warning for businesses to be aware of the ransomware. As well as encrypting the contents of hard drives, Bad Rabbit also replaces the MBR to render a system inaccessible. The ransom message that is displayed is very similar to the one used by NotPetya, but analysis suggests there is little code reuse -- although there are multiple references to Game of Thrones.
Based on our initial analysis, Bad Rabbit spreads to other computers in the network by dropping copies of itself in the network using its original name and executing the dropped copies using Windows Management Instrumentation (WMI) and Service Control Manager Remote Protocol. When the Service Control Manager Remote Protocol is used, it uses dictionary attacks for the credentials.
With a ransom of just 0.05 bitcoins this is the sort of amount that organizations would not really think twice about paying. But CERT warns that paying the ransom in no way guarantees regaining access to encrypted files.