Bad Rabbit Ransomware Sweeps Across Europe And Russia Infecting Media Outlets, Airports
This has been a bad year for wide-scale ransomware attacks, where malware encrypt a user's computer and demands payment to unlock the machine. The two major ransomware attacks that have happened in 2017 include WannaCry and ExPetr (or Petya and NotPetya as they were also called). The hackers behind WannaCry cashed out their bitcoin ransom in August netting about $143,000. The year is almost over, but another major ransomware attack is underway and it is called Bad Rabbit.
Kaspersky says that Bad Rabbit has infected several major Russian media outlets with Interfax and Fontanka.ru news agencies being among the first confirmed victims. Odessa International Airport has also reportedly stated it has been victim of a cyber attack, but at this time it's unclear if Bad Rabbit is the source of that attack.
Once a machine is infected, the ransom note associated with Bad Rabbit is asking for a ransom of 0.05 bitcoin, which is about $280 at the current exchange rate. Perhaps the most nerve racking part about Bad Rabbit, according to Kaspersky, is that it doesn't attack using exploits.
Kaspersky's Alex Perekalin writes, "According to our findings, the attack doesn’t use exploits. It is a drive-by attack: Victims download a fake Adobe Flash installer from infected websites and manually launch the .exe file, thus infecting themselves. Our researchers have detected a number of compromised websites, all news or media sites."
That means all you need to do is visit the infected websites and your machine could be infected. It's not clear at this time if it's possible to get the encrypted files back either by paying the ransom or by exploiting some glitch in the ransomware code to unencrypt the files. Kaspersky Labs notes that it is currently investigating the ransomware and will post more information as it's available.
Perekalin writes, "According to our data, most of the victims of these attacks are located in Russia. We have also seen similar but fewer attacks in Ukraine, Turkey, and Germany. This ransomware has infected devices through a number of hacked Russian media websites. Based on our investigation, this is a targeted attack against corporate networks, using methods similar to those used in the ExPetr attack. However, we cannot confirm it is related to ExPetr."
Kaspersky Labs says that to help prevent infection you can block the execution of files c:\windows\infpub.dat and c:\windows\cscc.dat. You can also disable WMI service to prevent malware from spreading across a network.