The previous string of ransomware attacks wreaked havoc on governmental and personalized computer systems on a global level. This time, the level of attack has increased multiple times with media organizations in Russia and Eastern Europe being the next target. The new ransomware has been known as the Bad Rabbit Ransomware and has created a panic same as the last attacks of similar ransomware attacks.
However, in order to curb the affect and know how to tackle this issue; the experts have come up with 10 things that are known about this ransomware attack. Kindly pay attention to these pointers mentioned below;
Russia and Eastern Europe are the first target
Larger attacks have occurred over Russian and Ukraine computer systems and a small part of Germany and Turkey. Antivirus researchers have claimed that its impact has also been felt in Poland and South Korea. The Russian internet security company named Group-IB has confirmed about three media organizations being hit by the virus. At present, the number of targets is estimated to be 200, but it is still going unchecked.
It’s 100% Ransomware
Victims of the Bad Rabbit Ransomware attack realized that it is same as the previous ransomware attacks. The Bad Rabbit also presents the users with a ransom note that says the files are no longer accessible and cannot be recovered without using the attacker’s decryption service. Those affected are guided to a payment page and given a countdown timer of around 40 hours after which the ransom amount increases. The encryption required uses a DiskCryptor, an open source legitimate required for full encryption and the unlock key is generated using CryptGenRandom.
Spreads mostly via fake update or compromised webpage
When the Bad Rabbit made its appearance, it was speculated that like WannaCry, it will also use the EternalBlue exploit to do maximum damage. However, this does not appears to be the case this time as there is no evidence about the EternalBlue being used to spread the infection.
No identification of the attacker
Presently, it is still not known as to who is responsible for this attack. The previous Petya attacks has led experts to believe that the same group created the Bad Rabbit issue. As of present, the attacks on Russian computers has also removed the speculation that a Russian group could be responsible for the attack.
Game of Thrones references
The unidentified individual or group of individuals behind this attack seem to be fans of the Game of Thrones television series. The code contains reference to the dragons of the series namely Viserion, Drogon and Rhaegal.
It resembles Petya
The ransom note appearing with Bad Rabbit seems eerily familiar to the Petya ransomware attacks. Bad Rabbit also shares the same elements as were found in Petya. Various virus detection analysts have found that both Bad Rabbit as well as NotPetya DLL files a massive 67% of the same code.
Bad Rabbit can easily spread across networks
Bad Rabbit has an SMB component that allows it to damage maximum computers by spreading through infected networks. A simple username and password combination is enough to execute a brute-force attack across the entire network.
Bad Rabbit does not discriminate when infecting computers, it has been designed to hit specific targets. Experts suggest that a majority of attacks are targeted at corporate networks. It has also been speculated that the instructions in the script injected inside the infected website can determine whether the visitor is suitable for attack. However, the reason for the attack on media organizations in Russia an Ukraine cannot be determined at present.
How can I stay protected against Bad Rabbit attack?
At present, there is no confirmation whether the encrypted files can be decrypted by paying the said ransom. Experts suggest not to pay the fee as it will only encourage further attacks on others.
A number of antivirus and data protection companies have offered products to handle the issue of Bad Rabbit Ransomware. However, if you want to be sure about not falling prey to this attack then make sure that you block the extension of the following file to prevent the infection.
“C: \ windows \ infpub.dat, C: \ Windows \ cscc.dat”.