Bad Rabbit Ransomware: What is it and how is it different from previous attacks?


We already suffered two large-scale ransomware attacks —  the infamous WannaCry and ExPetr (also called Petya and NotPetya), before we were hit by a new malware known as Bad Rabbit Ransomware.

How is Bad Rabbit Different From Previous Attacks?

Rather than attacking a weakness in the computer’s security, like most ransomware, Bad Rabbit prompts users to download an Adobe Flash update when visiting an infected website. It uses the EternalRomance exploit as an infection vector to spread within corporate networks.

Once activated, the malware spreads through the computer and locks all the files.

Then, it deletes the originals and delivers a ransom note in the form of a readme file. It also changes the victim’s wallpaper to a message demanding payment (0.05 bitcoin as ransom, which is roughly $280 at the current exchange rate) to return the information.

How Does Bad Rabbit Ransomware Affect Users?

The Bad Rabbit ransomware spreads through “drive-by attacks.” According to an analysis performed by Kaspersky Labs, the threat actor’s infrastructure downloads a malware dropper while the victim visits a legitimate site.

As operating systems and antimalware tools now include protection against ransomware, Bad Rabbit has evolved by covering standard encryption software, such as the open source DiskCryptor. Bad Rabbit has incorporated these improvements to make it more powerful, effective, and dangerous.

Along with the standard ransomware functionality, Bad Rabbit includes checking for a specific file before infecting a system, running processes on the local system looking for antimalware and performing anti-forensic steps to make the investigation of a breach more difficult. Bad Rabbit has an additional command-line argument that can skip the credential theft and lateral movement attack aspects.

Although most of the victims of these attacks are located in Russia, there have been similar but fewer attacks in Ukraine, Turkey, and Germany. This ransomware has infected devices through many hacked Russian media websites, such as Interfax news agency and Odessa International Airport has reported on a cyber attack on its information system, though whether it’s the same attack was not clear.

How to Avoid Being a Victim of Ransomware

Here at Soaring Eagle, we advise our customers to:

  • Make sure that all protection mechanisms are activated as recommended
  • Update the antivirus databases immediately
  • Block the execution of files c:windowsinfpub.dat and c:Windowscscc.dat
  • Disable WMI service to prevent the malware from spreading over your network
  • Backup your data

These precautions should be sufficient. However, if you need further advice, do not hesitate to contact us.