It’s another day which means another round of Ransomware. This time it’s a ransomware that’s being called ‘Bad Rabbit’, and if the Bad Rabbit infections look familiar, they are. Bad Rabbit shares about 60%-70% of its code with the Petya ransomware that infected machines in June. This time the ransomware is spread by a malicious phony Flash update. We’ve seen fake Flash updates for years, and in fact it was big news when it was found that Equifax and TransUnion websites were serving up malicious Flash updates via a third-party script. This underscores the importance for users to be vigilant while they’re online and if something looks fishy, just don’t click it.
In Bad Rabbit’s case, it shares the same style of ransom as its predecessors. It encrypts your files and demands payments to unlock all those files. The attackers are again asking for a relatively small amount of money to decrypt, .05 bitcoin which is around $300. These relatively low payout amounts may seem strange, but it’s strategic as more people are willing to pay what they consider a small amount of money.
Bad Rabbit seems to be much more slow moving then WannaCry or Petya. So far it’s been slowing spreading through Russia and Eastern Europe. The interesting thing is that it may not be randomly infecting machines as the previous two ransomwares do, and actually may be a slightly more targeted attack. This doesn’t mean it’s going to be contained in Europe and Russia. As Petya and WannaCry showed, these ransomware attacks can start small but quickly grow. The good news is that this is a much easier ransomware to block than WannaCry. Users and admins can block two .dat files from executing which will prevent Bad Rabbit from infecting the targeted machine. Simply block c:\windows\infpub.dat and C:\Windows\cscc.dat.