Bad Rabbit: Price of decryption increases after 40 hours
There is a new ransomware in town, with the purported damage scale of WannaCry and NotPetya.
So far, telemetry from security vendor ESET, shows attacks concentrating in Russia. If there is any similarity to the NotPetya ransomware, which was widely believed to be a state-sponsored attack upon Ukraine, it is that Bad Rabbit has disrupted critical national infrastructure in Ukraine – Odessa International airport, Kiev city’s underground railway, and also the Ministry of Infrastructure.
Bad Rabbit also does not use the EternalBlue vulnerability, another similarity it has with NotPetya. But, it is believed that it scans the internal network for open SMB shares.
In just a matter of hours, over 200 major organisations have been affected by Bad Rabbit which is demanding 0.05 bitcoin (about USD285) as its ransom fee.
Here is the breakdown statistics of the number of times, ESET has seen dropper components, in different countries.
- Russia: 65%
- Ukraine: 12.2%
- Bulgaria: 10.2%
- Turkey: 6.4%
- Japan: 3.8%
- Other: 2.4%
Of note, is that no exploits were used, unlike in the case of Wannacry, and victims have to manually execute a malware dropper, which would be disguised as something legitimate. Kaspersky Lab said, that in this case, it was an Adobe Flash installer.
Once infected, a ransom note displays itself, and directs victims to a Tor onion website to make payment. The price increases after 40 hours.
The Eset press release stated, “It’s interesting to note that all these big companies were all hit at the same time. It is possible that the group already had a foot inside the network and launched the watering hole attack at the same time as a decoy.”
The press release also seems to want to disprove initial Kaspersky reports that the ransomware used fake Adobe Flash player installers to lure victims.
ESET stated, “Nothing says they fell for the “Flash update”. ESET is still investigating and we will post our findings as we discover them.”