Site icon Sophos News

Bad Rabbit ransomware outbreak

Rabbit

Organizations in Russia and Ukraine were under siege on Tuesday 24 October 2017 from Bad Rabbit, a strain of ransomware with similarities to NotPetya.

By evening, the outbreak was reportedly spreading into Europe, including Turkey and Germany. Victims reported so far include airports, train stations and news agencies.

Russia’s Interfax news agency reported on Twitter that the outbreak had felled some of its servers, forcing Interfax to rely on its Facebook account to deliver news.

Starts with social engineering

The Bad Rabbit outbreak appears to have got its start via files on hacked Russian media websites, using the popular guise of pretending to be an Adobe Flash installer.

If Bad Rabbit infects your computer, it attempts to spread across the network using a list of usernames and passwords buried inside the malware. These credentials include passwords straight out of a worst passwords list. Another reminder, if one were needed, that all your passwords need to be strong, even the ones you use behind the safety of a corporate firewall.

From there, it encrypts not only your files, adding encrypted at the end of each filename, but also your computer’s MBR (Master Boot Record). You are then greeted with the following message and asked to submit payment via a Tor hidden service (an anonymous Dark Web website):

Oops! Your files have been encrypted.

If you see this text, your files are no longer accessible. 
You Might have been looking for a way to recover your files. 
Don't waste your time. No one will be able to recover them 
without our decryption service.

We guarantee that you can recover all your files safely. 
All you need to do is submit the payment and get the 
decryption password.

Visit our web service at [redacted]

If you visit the Bad Rabbit website using the Tor Browser, you will be “invited” to pay a fee for the decryption key; at the time of writing [2017-10-25T16:45Z], the crooks were demanding XBT 0.05 (1/20th of a Bitcoin), currently about $280:

Defensive measures

Sophos currently blocks the Bad Rabbit malware as Troj/Ransom-ERK.

Additionally, Sophos Intercept X proactively prevents the malware from attacking your data: the CryptoGuard component stops the ransomware from scrambling your files, and WipeGuard prevents the low-level disk writes that modify the boot sector.

(For further information about Sophos protection, please see our Support Knowledge Base article entitled Bad Rabbit ransomware: What to do.)

Here are some general tips to raise your defenses againt this sort of outbreak:

For more information about ransomware read How to stay protected against ransomware, or listen to our Techknow podcast:

LISTEN NOW

(Audio player above not working? Download, or listen on Soundcloud.)

If you’re a home user, why not register for the free Sophos Home Premium Beta? This includes the CryptoGuard and WipeGuard features mentioned above that block the unauthorised scrambling of files and disk sectors.


Exit mobile version