Bad Rabbit: a new ransomware affects Russia and Europe

Bad Rabbit is said to be similar to WannaCry, where systems are encrypted and a ransom is demanded in bitcoin.

Apurva Venkat Oct 25th 2017 A-A+

After WannaCry and Petya, a new ransomware ‘Bad Rabbit’ is affecting systems in Russia and Europe. According to a report by independent cybersecurity firm Kaspersky Lab, the attack has spread from hacked websites of Russian media organizations.

During a Bad Rabbit attack, the ransomware encrypts the systems and the victim organization has to pay bitcoins in return. Currently, those affected have been asked to pay 0.05 bitcoins as ransom.  As of now, Interfax and Fontanka in Russia, Odessa Airport and Kiev Metro in Ukraine have been victims of the attacks. The cyber chief of Ukraine has confirmed to news organisations that the attack has taken place but said that the country was “barely affected’.

While no incidents of the attack have been reported from India, in ransomware of such kind, attacks are en masse. Hence, Indian businesses have to be careful and be warned.

Year of Big Attacks

This year, the enterprise witnessed various large scale cyber attacks that spread fast and ended up affecting many systems worldwide. During May this year, WannaCry ransomware attacked systems globally, and ended up affecting more than a million systems. Similar to Bad Rabbit, WannaCry also encrypted files, but the ransom demanded was USD 300 to USD 600 to release the files. Systems that had not updated their Microsoft Windows versions were the most prone to being affected by WannaCry.

During the WannaCry attack as well, victims were advised to not pay the ransom, as it would encourage more such attacks. Further, there is no guarantee if the data will be released or not.

“The infection attempts were referred from multiple sites simultaneously, indicating a widespread strategic web compromise campaign. FireEye has observed this malicious JavaScript framework in use since at least February 2017, including its usage on several of the sites from today’s attacks. The framework acts as a “profiler” that gathers information from those viewing the compromised pagesincluding host and IP address info, browser info, referring site, cookie from referring site. Malicious profilers allow attackers to obtain more information about potential victims before deploying payloads (in this case, the BADRABBIT dropper “flash update”), says,  Nick Carr, Senior Manager, Detection and Analysis, FireEye.