Bad Rabbit Ransomware Outbrake Spreading in Russia and Europe

Bad Rabbit Ransomware

A new ransomware using a modified version of the infamous NotPetya has been detected in a number of countries. The new malware, named Bad Bunny, encrypts the target computer and spreads throughout its network. To decrypt the system users are coerced into paying a ransom of 0.5 BitCoin. The malware is distributed through websites injected with javascript code redirecting users to dropper site. Bad Bunny has been most prevalent in Russia and Ukraine, but isolated cases have also been detected in other countries.

Bad Rabbit ransom note bears stricking similarity the one used in Petya outbreak.

Bad Rabbit ransom note bears stricking similarity the one used in Petya outbreak.

The malware uses drive-by downloads as a vector of infection. Users are directed to a compromised website requesting a flash update. This fake update leads users to the dropper site hxxp://1dnscontrol[.]com/flash_install.php where the malware is hosted. The download file named install_flash_update.exe needs to be manually run by the user using administrator privileges. Once infected, the malware is capable of infecting other computers in the network.

The encryption module used is based on the open source software DiskCryptor to lock the files. The encryption algorithms used are AES-128-CBC and RSA-2048. According to security researchers at Crowdstrike, Bad Rabbit is based off the Petya/NotPetya Ransomware that ravaged the entire world earlier this year. The new ransomware shares at least 60 percent of the code from the original Petya/NotPetya. This variant, however, is missing the infamous NSA tool Eternal Blue. Another interesting addition in the code is the inclusion of variables with the names of the dragons of Game of Thrones.

Bad Rabbit Game of Thrones

Seems the hackers involved with Bad Rabbit are Game of Thrones fans.

Many major organizations in Russia and Ukraine have been affected. According to analysts at Kaspersky Labs, these attacks seem to be explicitly targeting corporate networks. In Russia, three media organizations have been affected by the Bad Rabbit. Meanwhile, in Ukraine, key infrastructure like Kiev’s Metro and the Odessa International Airport have reported being affected by the malware’s campaign. Other countries where Bad Bunny has been detected include South Korea, Turkey, Poland, Japan, Bulgaria, Germany and the United States.

Code aside, there are a number of factors that make Bad Bunny’s malware campaign and the Petya/NotPetya outbreak similar. For starters, this outbreak began its expansion mostly in Russia and Ukraine just like the former. Furthermore, organizations previously affected by Petya/NotPetya like Kiev’s Metro system and the Odessa International Airport are beign targeted again. While Bad Bunny is not on the same level as WannaCry and NotPetya in terms of spread, it still has infected a wide number of organizations and individuals. However, it is expected that the number of infections will rise in the coming days.

Leave a Reply

Your email address will not be published. Required fields are marked *