Another ransomware campaign is rocking Russia and Ukraine. This one’s called BadRabbit, and it bears similarities to the GoldenEye/Petya/NotPetya not-quite-ransomware campaign that stole headlines in June, with the most notable difference being that it doesn’t rely on the EternalBlue exploit.
NotPetya became famous after it compromised tens of thousands of machines across 64 countries. It was originally believed to be a straightforward ransomware campaign, but researchers soon discovered that its perpetrators couldn’t restore affected files even if the ransom was paid. That led many to believe NotPetya was supposed to destroy information—perhaps in Ukraine, where the attack started—rather than hold it hostage.
In a blog post, Symantec said that although its technical analysis of BadRabbit is incomplete, it believes this campaign is truly ransomware. It spreads as a fake update to the soon-to-be-deceased Adobe Flash Player and then propagates to other devices on the same network. Once it’s on a system, it encrypts individual files and then performs a full disk encryption. On reboot, it displays a ransom note that asks for 0.05 Bitcoin, or roughly $280.
Symantec also said BadRabbit is similar to Petya in that both use a self-propagation mechanism, display similar ransom notes, and “contain a component that targets the master boot record (MBR) of an infected computer, overwriting the existing MBR.” That doesn’t mean the attacks are related, however, because they could simply rely on the same techniques and tools. More analysis will be required to attribute BadRabbit to anyone.
Here’s what Symantec said about the threat posed by BadRabbit:
Organizations in particular are vulnerable to threats such as BadRabbit because of the infection mechanism they deploy. Once one computer on a network becomes infected, BadRabbit will attempt to copy itself to other computers on the network, which could potentially do serious damage to poorly secured networks. Although the threat largely appears to be confined to Russia at present, organizations should remain alert to the danger and ensure they are protected.
This is fast becoming the new normal. In addition to being wary of attachments, updates, and pretty much anything else you find on the internet, your best bet is probably to keep a backup of critical information. That way, even if your system is affected, you don’t have to worry about losing cherished photos or important documents. Try not to fall prey to these campaigns, but prepare for them like they’re an inevitability.