Select Page

Bad Rabbit ransomware outbreak hits Eastern European countries first, starts spreading further

Bad Rabbit is the latest ransomware computer users should be aware of. The virus was first spotted on October 24th, and currently it is extremely active and dangerous on a global scale. The first outbreak significantly affected particular countries – reports show that Russia, Ukraine, Turkey and Germany were among the primary targets.

Shortly after, the extent of the malware reached Poland and other countries. Experts agree that the new ransomware is not location-based and poses a great threat to computer users worldwide.

Experts quickly observed similarities between Bad Rabbit and Petya/NotPetya malware. In fact, malware researchers speculate whether the new ransomware is or isn’t an updated successor of the wiper virus that shook virtual community in June 2017.

There are many reasons to believe that it is, especially because the behavior and technical details of the virus instantly create an impression of improved and fully working data-encrypting extortionware.

The modus operandi of Bad Rabbit

The filecoder infects target computers via drive-by attacks. Criminals behind the malware have compromised dozens of legitimate websites (mostly Russian and Ukrainian) by injecting a JavaScript code into their HTML. Consequently, after entering such site, the visitor receives a notification suggesting a new version of Flash Player.

If the victim inadvertently or intentionally clicks “Install,” the script triggers a redirect to an external site. As a result, the victim receives install_flash_player.exe file, which looks like a simple executable. Its name suggests that it is related to Flash Player, although it actually carries a malicious payload.

The victim has to manually launch this file in order to run the ransomware. Once executed, it asks for administrative privileges and then creates a malware-laden DLL into C:\Windows\infpub.dat and run it using rundll32 process.

Infpub.dat also works as the main ransomware file that finds and encodes data with AES-128-CBC and RSA-2048 algorithms. Consequently, BadRabbit corrupts partitions on computer disks using DiskCryptor utility.

Finally, the malware configures MBR (Master Boot Record) and restarts the computer. As soon as the computer boots, the malware presents a ransom note on the screen. It suggests visiting a .onion website for further details regarding data recovery.

Ways to remove the ransomware and protect your PC from similar attacks

Virus Activity team suggests using typical ransomware prevention techniques to prevent crypto-malware from wreaking havoc on your records. First of all, you should take care of these three tasks:

  • Install a reliable anti-malware software;
  • Create a data backup;
  • Enable automatic updates for software installed on your PC.

Once you complete these steps, try to be careful while browsing the Internet and avoid installing software or updates from random websites that try to push them to you. As you can see, unexpected prompts to update software can result in ransomware infection.

To remove Bad Rabbit, you should restart your PC in Safe Mode or perform System Restore. Further details regarding ransomware elimination can be found on sites dedicated to computer security, for instance, 2-Spyware.