A new strain of ransomware called as “Bad Rabbit” infects over 200 organizations in Russia, Ukraine, Turkey, and Germany. According to the researchers, the Bad Rabbit is a new variant of Petya ransomware because it also encrypts the data of victims or targeted systems and displays a ransom note of paying 0.05 bitcoin to get the decryption key.
Researchers at Kaspersky noticed that the ransomware is distributed via drive-by download attacks. The attackers are using fake Adobe Flash Player installer to execute the ransomware in systems.
“No exploits were used, so the victim would have to manually execute the malware dropper, which pretends to be an Adobe Flash installer. We’ve detected a number of compromised websites, all of which were news or media websites.” Kaspersky Lab said.
ESET researchers noticed that the Bad Rabbit using DiskCryptor tool which encrypts all the data present in the system by using RSA 2048 keys and they believes that the new variant of ransomware is not using EternalBlue exploit the vulnerability of SMB which was used in WannaCry and Petya ransomware.
Bad Rabbit scans for open SMB to send malware in the system and uses Mimikatz post-exploitation to extract the malware file and execute it in the system.
After encrypting all the files from the system the ransom note appears on the screen which asks the victim to log in to Tor browser link to make the payment and shows the 40 hours timer for payment.
Security researchers finding the way to decrypt or unlock the encrypted files without giving payment. If you want to be safe from this new Bad Rabbit ransom then don’t download software from any unofficial website or don’t open any spam links.