This year’s global outbreaks of the WannaCry and Petya/GoldenEye ransomware variants shook the tech and business world. Traditionally designed as a for-profit malware scheme, ransomware encrypts important files on computers and demands a ransom to give you access to them again.
These cyberattacks mainly targeted outdated and unpatched Windows machines, which are vulnerable to a variety of NSA hacking tools leaked earlier this year. Since the flaws are wormable, the attacks even prompted Microsoft to make an unusual move – it released a patch for the now obsolete and unsupported operating systems to protect the apparent millions of users still using this outdated software.
Now, it appears that a new variant of the Petya ransomware is once again spreading rapidly, crippling key government offices, transportation services and corporations around the globe. But is it what it seems?
This new ransomware attack has spread across Russia, Ukraine, Turkey and Bulgaria, crippling multiple news organizations and transportation systems in its wake. There are also reports that the attack has reached targets in the U.S.
The new ransomware strain, named “Bad Rabbit” by its authors, is suspected to be a new variant of Petya and it operates quite similarly – it encrypts the files of a target computer then demands a ransom to restore the files.
In Bad Rabbit’s case, its authors are demanding a ransom of 0.05 Bitcoin, equivalent to around $282. The ransom note also displays a 41-hour countdown timer that threatens the victim to pay up before it hits zero or else, the ransom goes up.
According to Russian cybersecurity company Group-IB, Bad Rabbit has already taken down at least three Russian news organizations including the privately owned Interfax news agency.
In fact, if you visit Interfax’s main page you’ll be greeted with this statement: “Interfax Group’s servers have come under a hacker attack. The technical department is taking all measures to resume news services. We apologize for inconvenience.”
Smaller Russian news agencies Fontanka and 47news.ru have also reported outages because of the attacks.
Fontanka wrote on its official Facebook page: “The Fontanka server has been attacked by hackers. The site may be unavailable for several hours. We continue to make news. Read us in our official accounts in social networks, VKontakte and Facebook.”
Three other major Ukranian organizations, including the country’s Ministry of Infrastructure and transportation services like the Kiev Metro and the Odessa International Airport, have also been shut down due to the attacks.
Odessa Airport posted on its Facebook page that its information system has suffered a hacker attack that is responsible for a delay of its flights.
How is Bad Rabbit spreading?
It’s still unclear how the Bad Rabbit attacks started but security researchers believe it is spreading via drive-by downloads via poisoned websites.
American cybersecurity firm CrowdStrike Intelligence said that it traced the origin of the attacks to a Russian and Eastern European news and gossip site argumentiru.com.
Lukas Stefanko of ESET tweeted that Bad Rabbit is coming from a fake Flash update that’s using the same NSA EternalBlue exploit that WannaCry and Petya used. This also means that Bad Rabbit acts like a worm and will look for other computers with similar vulnerabilities in the network.
This explains why it’s spreading rapidly – once a machine is infected with the initial payload, all other computers on the network are susceptible to the attack.
— Lukas Stefanko (@LukasStefanko) October 24, 2017
Kasperky Lab researchers also noted that this is a targeted attack against corporate networks using methods similar to the Petya attacks. However, they are saying that it’s still too early to determine if the two strains are directly related.
The company said that no hacking exploits were used to install Bad Rabbit on the initial victim’s system. The malware dropper, the fake Flash update, in this case, needs to be manually downloaded and installed by the victim.
However, some security experts are questioning the financial motive behind Bad Rabbit. Like its predecessor Petya, these current attacks may not be ransomware-for-profit schemes at all, rather, they’re just smokescreens for a more sophisticated payload embedded in the attack.
Regarding the global impact of Bad Rabbit, Avast has reported that Bad Rabbit has already been detected in Russia, Ukraine, Poland, South Korea and the U.S. and since it’s still an ongoing attack, it has the potential to spread even farther.
Amidst the ongoing investigations, one trivial but interesting detail about the attacks has emerged. The culprits appear to be fans of the show “Game of Thrones.” As noticed by FireEye security researcher Nick Carr, Big Rabbit’s code contains references to the novel and show’s dragons: Viserion, Drogon and Rhaegal.
Named scheduled tasks for persistence & privesc
— Nick Carr (@ItsReallyNick) October 24, 2017
How to protect yourself from ransomware
This is still a developing story so the specifics may still change but here are a few tips to shield yourself from ransomware attacks:
- Back up data regularly – this is the best way to recover your critical data if your computer is infected with ransomware.
- Make sure your backups are secure – do not connect your backups to computers or networks that they are backing up.
- Have strong security software – this will help prevent the installation of ransomware on your gadget.
Backing up your critical data is an important safety precaution in the fight against ransomware. It’s the best way to recover your files without paying a ransom.
We recommend using our sponsor IDrive. You can backup all your PCs, Macs and mobile devices into ONE account for one low cost! Protect your data IDrive today to save 50% on all your backup needs and get 2TB of storage for less than $35!
If anyone ever emails you Word docs, you’re a target of this nasty scam.
It’s not just ransomware that you need to watch out for. There’s another scam that’s spreading via Word email attachments.