threat-report-media
Insights

Threat Report: Bad Rabbit Ransomware Hops to Eastern Europe, Turkey and Germany

What Is It?

On Oct. 24, 2017, a new strain of ransomware, being referred to as Bad Rabbit, was used in a widespread campaign which reportedly caused issues for many enterprises and infrastructure such as airports and train stations in Eastern Europe, Turkey and Germany.

Analysis of the malware code has found similarities with previous large-scale ransomware attacks such as NotPetya and Petya. However, this malware does not use the EternalBlue exploit to propagate. This malware also appears not to be destructive as NotPetya was, it is purely ransomware.

A number of websites were compromised in Eastern Europe and Turkey and redirected users to a site serving a drive-by download of a fake Adobe Flash Player update. The drive-by download server was taken offline after approximately 6 hours.

The ransomware requests an initial ransom of 0.05 Bitcoin (US$274.86) which increases the longer the ransom goes unpaid.

As is common with recent ransomware, it encrypts the Master Boot Record on the victim’s hard drive rendering it unusable until the ransom is paid, after first encrypting files with the extensions of:

.3ds,.7z,.accdb,.ai,.asm,.asp,.aspx,.avhd,.back,.bak,.bmp,.brw,.c,.cab,.cc,.cer,.cfg,.conf,

.cpp,.crt,.cs,.ctl,.cxx,.dbf,.der,.dib,.disk,.djvu,.doc,.docx,.dwg,.eml,.fdb,.gz,.h,.hdd,

.hpp,.hxx,.iso,.java,.jfif,.jpe,.jpeg,.jpg,.js,.kdbx,.key,.mail,.mdb,.msg,.nrg,.odc,.odf,

.odg,.odi,.odm,.odp,.ods,.odt,.ora,.ost,.ova,.ovf,.p12,.p7b,.p7c,.pdf,.pem,.pfx,.php,.pmf,

.png,.ppt,.pptx,.ps1,.pst,.pvi,.py,.pyc,.pyw,.qcow,.qcow2,.rar,.rb,.rtf,.scm,.sln,.sql,

.tar,.tib,.tif,.tiff,.vb,.vbox,.vbs,.vcb,.vdi,.vfd,.vhd,.vhdx,.vmc,.vmdk,.vmsd,.vmtm,

.vmx,.vsdx,.vsv,.work,.xls,.xlsx,.xml,.xvd,.zip

How Does It Propagate?

Bad Rabbit is spread via compromised websites redirecting to a drive-by download of the malware claiming to be an Adobe Flash Player update.

This malware also contains a list of weak passwords which it can utilize to propagate over the network. It does not utilize any exploits.

As this attack initially requires a user to execute the fake Adobe Flash Player update, end-user education is always a critical component of securing a corporate environment

When/How Did BluVector Detect It?

BluVector’s machine learning malware detection engine detects the fake Adobe Flash Player update as malicious. Regression testing has shown the file would have been detected by BluVector 10 months prior to its release.

About Threat Report

BluVector’s Threat Report is written by BluVector’s expert security team, tasked with identifying the latest cybersecurity threats in the wild and when our solution would protect customers from those threats. Read more Threat Reports here.

Leave a Reply

Your email address will not be published. Required fields are marked *

Interested in learning about BluVector?Contact Us >