On October 24, 2017, Bad Rabbit was discovered impacting Eastern European government agencies and private businesses, including the Odessa airport and Ukraine's Kiev subway system, the Ukrainian Ministry of Infrastructure, three Russian news agencies and several organizations in Bulgaria and Turkey, with a small percentage of infections detected in the US. Bad Rabbit targets Windows OS and is distributed via a watering hole attack where victims are redirected from compromised websites to a malicious site designed to host the ransomware's executable masquerading as an Adobe Flash update. Once the malicious executable is installed, Bad Rabbit begins encrypting files and them overwrites the Master Boot Record (MBR) with the ransom note before rebooting the system. It spreads laterally through networks via vulnerable and unpatched SMBv1 ports - the same method used by the WannaCry and NotPetya variants - after using Mimikatz to extract login credentials from the infected system's memory. Security analysts believe Bad Rabbit's code could be based on DiskCryptor, an open-source disk encryption utility, similar to the HDDCryptor variant that impacted San Francisco's public transit system last year. Bad Rabbit does not append new extensions to the names of encrypted files, as is typical with most ransomware variants, but appends the file marker string encrypted to the end of every encrypted file. Bad Rabbit demands a ransom payment of 0.05 Bitcoin and threatens to increase the price if the ransom is not paid in approximately 40 hours.
- Bleeping Computer provides more information about Bad Rabbit here.
- The NJCCIC is not currently aware of any free decryption tool available for Bad Rabbit. However, security researchers reportedly developed a vaccine to prevent Bad Rabbit infections. Bleeping Computer provides vaccination instructions here. (The NJCCIC advises using caution before making any system changes.) Additionally, Microsoft published an alert stating that Windows Defender has been updated to protect systems against Bad Rabbit.
- Additionally, as Bad Rabbit does not delete Shadow Volume Copies, victims may be able to recover some of their files.