By evening, the outbreak was reportedly spreading into Europe, including Turkey and Germany. Victims reported so far include airports, train stations and news agencies.
Russia’s Interfax news agency reported on Twitter that the outbreak had felled some of its servers, forcing Interfax to rely on its Facebook account to deliver news.
Starts with social engineering
The Bad Rabbit outbreak appears to have got its start via files on hacked Russian media websites, using the popular guise of pretending to be an Adobe Flash installer.
If Bad Rabbit infects your computer, it attempts to spread across the network using a list of usernames and passwords buried inside the malware. These credentials include passwords straight out of a worst passwords list. Another reminder, if one were needed, that all your passwords need to be strong, even the ones you use behind the safety of a corporate firewall.
From there, it encrypts not only your files, adding
encrypted at the end of each filename, but also your computer’s MBR (Master Boot Record). You are then greeted with the following message and asked to submit payment via a Tor hidden service (an anonymous Dark Web website):
If you visit the Bad Rabbit website using the Tor Browser, you will be “invited” to pay a fee for the decryption key; at the time of writing [2017-10-25T16:45Z], the crooks were demanding XBT 0.05 (1/20th of a Bitcoin), currently about $280:
Sophos currently blocks the Bad Rabbit malware as Troj/Ransom-ERK.
Additionally, Sophos Intercept X proactively prevents the malware from attacking your data: the CryptoGuard component stops the ransomware from scrambling your files, and WipeGuard prevents the low-level disk writes that modify the boot sector.
(For further information about Sophos protection, please see the Support Knowledge Base article entitled Bad Rabbit ransomware: What to do.)
Here are some general tips to raise your defenses againt this sort of outbreak:
The Blue Cube ethos is to offer fully independent and accurate advice providing the expertise, technology and management skills to help identify where to protect, what to protect and how to protect corporate IT resources and enable secure access for authorised users.
Blue Cube Security Ltd
0345 094 3070
3 More London Riverside,
020 3137 9227
©2017 BLUE CUBE SECURITY LTD. ALL RIGHTS RESERVED.