Bad Rabbit ransomware spreads around globe as Adobe flash update

Security News ThreatsCybercrime Uncategorized

Internet users are being warned to look at Adobe Flash updates with a high degree of caution because they may contain ransomware that will freeze up your computer until a payment is made to the hackers. BadRabbit asks for a 0.05 bitcoin bounty — around $280. Cybersecurity experts say the ransomware attacks began October 24, targeting Russian media companies and Ukrainian transportation systems. It has also been detected in other countries including the U.S., Germany, Japan, South Korea, and Turkey. No doubt it’s ransomware For those unlucky enough to be infected, their computer screen presents a ransom note telling them their files are “no longer accessible” and “no one will be able to recover them without our decryption service”. Users are then directed to a TOR payment page and are presented with a countdown timer. Users are given 40 hours to come up with the ransom or the price will go up. ZD Net reports the encryption uses DiskCryptor, which is open source, legitimate software used for full drive encryption. Keys are generated using CryptGenRandom and then protected by a hard-coded RSA 2048 public key.

Photo of ransomware payment page courtesy of Kaspersky Lab.

Photo of ransomware payment page courtesy of Kaspersky Lab.

ZD Net

Bad Rabbit based on Petya/Not Petya Bad Rabbit may seem familiar with the June ransomware attacks, and it is true, in this case. Both Bad Rabbit and Petya share the same basic elements. Researchers at Crowdstrike found that Bad Rabbit and NotPetya’s DLL (dynamic link library) share 67 percent of the same code, a clear indication the two are closely related and may even have been created by the same person. Researchers at Cisco Talus say Bad Rabbit also has a trick in its hat, an SMB component which allows it to move laterally across an infected network and propagate without user interaction. Bad Rabbit actually exploits weak password combinations, such as simple numbers and “password.” According to CNN News, malware researcher James Emery-Callcott said, “As far as I can see, the attacker’s server is no longer live and most of the infected sites hosting the script that gives the Flash update prompt” have fixed the issue. “Fake Flash updates are an incredibly popular method of distributing malware these days. Hopefully, people will start to realize that when you get an unsolicited Flash update, it’s generally going to be bad.”