Latest news and announcements

New ransomware worm BadRabbit

New ransomware worm BadRabbit

2017-11-09

 

On 24th of October, 2017, unknown actors released a new ransomware worm called BadRabbit and somewhat similar to the Petya worm. Initial infection was performed via compromised news web sites – mostly Russian and Ukrainian ones, but also two in Bulgaria, one Czech and one Romanian ones. Upon visiting a compromised site, the user is warned that he or she needs to install a Flash update. If the update is accepted, it is an executable file, which releases the worm.

Similarly to Petya, this worm spreads only on local area networks (i.e., not over the Internet, like WannaCry). Unlike Petya, however, this worm does not use NSA’s cyber-weapon EternalBlue. Instead, it tries to connect to the network shares using common user names and passwords. Like Petya, BadRabbit encrypts the data files of the user, after which it encrypts the hard disk, making the computer unusable.

Unlike Petya, the disk encryption is performed by using a legitimate third-party disk encryption program. Also unlike Petya, BadRabbit does not destroy the encryption key, meaning that, theoretically, the encrypted machines can be restored after paying the ransom.

The victims of this worm are mostly in Russia (resulting in the web sites of TASS and INTERFAX becoming inaccessible) and, to a lesser degree, in Ukraine. However, there are also reports about computers being hit in Turkey, Germany, Bulgaria and the USA.