What Is It?
On Oct. 24, 2017, a new strain of ransomware, being referred to as BadRabbit, was used in a widespread campaign which reportedly caused issues for many enterprises and critical infrastructure such as airports and train stations in Eastern Europe, Turkey and Germany.
Analysis of the malware code has found similarities with previous large-scale ransomware attacks such as NotPetya and Petya. However, this malware does not use the EternalBlue exploit to propagate. This malware also appears not to be destructive as NotPetya was, it is purely ransomware.
A number of websites were compromised in Eastern Europe and Turkey and redirected users to a site serving a drive-by download of a fake Adobe Flash Player update. The drive-by download server was taken offline after approximately 6 hours.
The ransomware requests an initial ransom of 0.05 Bitcoin (US$274.86) which increases the longer the ransom goes unpaid.
As is common with recent ransomware, it encrypts the Master Boot Record on the victim’s hard drive rendering it unusable until the ransom is paid, after first encrypting files with the extensions of:
How Does It Propagate?
BadRabbit is spread via compromised websites redirecting to a drive-by download of the malware claiming to be an Adobe Flash Player update.
This malware also contains a list of weak passwords which it can utilize to propagate over the network. It does not utilize any exploits.
As this attack initially requires a user to execute the fake Adobe Flash Player update, end-user education is always a critical component of securing a corporate environment
When/How Did BluVector Detect It?
BluVector’s machine learning malware detection engine detects the fake Adobe Flash Player update as malicious. Regression testing has shown the file would have been detected by BluVector 10 months prior to its release.