As per reports on Tuesday a new strain of ransomware named “Bad Rabbit” has been found spreading in Russia, Ukraine and elsewhere. It’s a previously unknown ransomware.
The malware has affected systems at three Russian websites, an airport in Ukraine and an underground railway in the capital city, Kiev and appears to also be affecting Turkey and Germany.
The Russian news service Interfax and Fontanka.ru were hacked, Interfax also issued an official update stating that it had been hacked and that it was working to restore its systems.
The malware is still undetected by the majority of anti-virus programs, according to analysis by virus checking site Virus Total.
There were also some indications that BadRabbit uses the NSA’s EternalBlue tool, used by both NotPetya and the WannaCry ransomware worm that spread in May, to spread through a local network, although other reports disputed that and said Bad Rabbit simply used stolen passwords to spread.
One security firm, Eset, has said that the malware was distributed via a bogusAdobe Flash update.Bad Rabbit requires a potential victim to download and execute a bogus Adobe Flash installer file, thereby infecting them.
Bad Rabbit encrypts the contents of a computer and asks for a payment – in this case 0.05 bitcoins, or about $280 (£213).
US officials said they had “received multiple reports of Bad Rabbit ransomware infections in many countries around the world”.
The US computer emergency readiness team said it “discourages individuals and organisations from paying the ransom, as this does not guarantee that access will be restored”.
Cyber-security firms, including Russia-based Kaspersky, have said they are monitoring the attack.
Whoever created Bad Rabbit appears to be a Game of Thrones fan, as the malware makes reference to Drogon, Rhaegal and Viserion, after three dragons in the series. Part of the installer is called Gray Worm, the name of a military commander in the series.
The outbreak has similarities to the WannaCry and Petya ransomware outbreaks that spread around the world causing widespread disruption earlier this year.
Amit Serper, a malware researcher at Cybereason, has come up with an early “vaccine” against the malware.
“Create the following files c:\windows\infpub.dat && c:\windows\cscc.dat – remove ALL PERMISSIONS (inheritance) and you are now vaccinated. :)” Serper tweeted.
Tips to protect from this sort of outbreak:
Most ransomware spread through phishing emails, malicious adverts on websites, and third-party apps and programs.
- Don’t make users into administrators: When you want to perform administrative tasks, promote yourself to an administrator account, and relinquish those privileges as soon as you can. Network-aware malware like Bad Rabbit can spread without even needing to guess passwords if you already have administrator-level access to other computers on the network.
- Backup your data: Keep a recent backup both offline and offsite, Copy your data to an external storage device that isn’t always connected to your PC.
- Remove Flash altogether: Fake flash installers and updates only work as a social engineering tactic if you use or want Flash. By removing Flash entirely you eliminate the temptation to download fake updates.
- Read reviews and ratings: Never download any app from third-party sources, and read reviews even before installing apps from official stores.