Attack of the encryption trojan Bad Rabbit

Attack of the encryption trojan Bad Rabbit

Some time has passed since the last huge wave of ransomware attacks has been detected. Now, a new type has appeared and it is causing considerable damage. Especially in Eastern Europe and Russia the trojan was successful and infected several companies. But Germany has seen those attacks, too.

The malware Bad Rabbit, named after a specific site in the darknet, where the victims are supposed to pay the ransom. It encrypts local data and demands 0,05 Bitcoins to provide the decryption key. Considering the recent change rates this amounts to 293 USD or 255 Euro.

Down the Rabbit-Hole

The crypto-trojan spreads mainly through compromised news sites. By using so called watering hole attacks, the cyber criminals can target certain user groups and companies. If a user visits an infected website, an automated drive-by-download is initiated and a forged Adobe Flash update is downloaded. As soon as this file is executed, Bad Rabbit enters the system and all data are encrypted after a forced reboot of the computer.

 

 

Bad Rabbit Trojaner

Payment page in the TOR network

 

Click on the image to enlarge

 

 

Like WannaCry and Petya before, Bad Rabbit can spread within a network. However, instead of using the EternalBlue exploit in the Version 1.0 of the SMB protocol, the malware infects other computers through the Windows Management Instrumentation (WMI). To prevent a local distribution of Bad Rabbit, it is advisable to deactivate WMI if it is not in use.

Hornetsecurity recognizes the malware and protects with URL rewriting

The URL rewriting feature of Hornetsecurity Advanced Threat Protection recognizes Bad Rabbit on compromised websites and blocks it. Using Hornetsecurity ATP, you can continue clicking on news links in your emails without fearing to catch the malware.

 

Our recommendations

Nevertheless, we recommend you to create backups on a regular basis and to not download unknown files or even execute them. Especially Adobe Flash updates should only be downloaded from the software producer itself. In case of an infection, do not pay the ransom, because it is unclear whether you will receive the keys necessary to recover your files.