Bad Rabbit Ransomware: What It Is, What to Do
UPDATED Oct. 26 with news that the spread of the malware seems to have stopped.
A new ransomware worm dubbed "Bad Rabbit" began spreading across the world Tuesday (Oct. 24), and it appeared to be a much-modified version of the NotPetya worm that hit eastern Europe in June.
Illustration credit: Arseniy1982/Shutterstock
Bad Rabbit hit corporate networks in Russia and Ukraine especially hard, according to multiple reports, and there were isolated reports of infections in Turkey, Bulgaria, Japan, Germany, Poland, South Korea and the United States by Tuesday evening.
The U.S. Computer Emergency Readiness Team (US-CERT), run by the Department of Homeland Security, issued an alert but did not specify whether any infections had been detected in the U.S.
How to Protect Yourself
All the Windows antivirus software we review at Tom's Guide, including Windows Defender, should be able to detect and stop Bad Rabbit. There also seems to be a way to "vaccinate" a machine, which may be risky. We'll go over that below.
How Bad Rabbit Works
The Bad Rabbit malware enters enterprise networks when a user on network runs a phony Adobe Flash Player installer posted on a hacked website. (Flash Player, both real and fake, is a favorite cybercriminal tool.) The initial infections came from Russian-language news sites, one of which seemed to have been actively infecting visitors even as it reported on the malware outbreak.
Some reports said websites based in Denmark, Turkey and Ireland had also been corrupted with the fake Flash installer.
After it has infected the initial machine in a network, Bad Rabbit uses the open-source tool MimiKatz to find any login credentials stored on the machine, then tries to use those credentials to spread to other machines. It also has a hard-coded list of dozens of the most commonly used passwords.
The Bad Rabbit infection chain, as diagrammed by Trend Micro. Credit: Trend Micro
There were also some indications that BadRabbit uses the NSA's EternalBlue tool, used by both NotPetya and the WannaCry ransomware worm that spread in May, to spread through a local network, although other reports disputed that and said Bad Rabbit simply used stolen and weak passwords to spread.
Once it has spread as far as it can through a network, Bad Rabbit encrypts all files of commonly used Windows Office, image, video, audio, email and archive filetypes on infected Windows machines, using the open-source DiskCryptor utility. It then replaces a PC's Master Boot Record, reboots the machine and posts a ransom note. The victim is instructed to send 0.05 bitcoin (about $280) to a specific Bitcoin wallet.
The Bad Rabbit ransom note. Credit: ESET
The Slovak antivirus company ESET reported that the metro system in Kiev, the Ukrainian capital, and the main airport in Odessa, another large Ukrainian city, had been hit by the ransomware.
Game of Thrones fans may be bemused to learn that three routines carried out by the malware are named Drogon, Rhaegal and Viserion, after three dragons in the series. Part of the installer is called Gray Worm, the name of a military commander in the series.
How to 'vaccinate' your computer against Bad Rabbit
Amit Serper, a malware researcher at Cybereason, said on Twitter that he'd found a way to immunize a computer against Bad Rabbit infection.
"Create the following files c:\windows\infpub.dat && c:\windows\cscc.dat - remove ALL PERMISSIONS (inheritance) and you are now vaccinated. :)" Serper tweeted.
You'll need administrator rights on a Windows machine to do this, and you'll need to know how to set up both files so that NO users have read, write or execute permissions. To make it easier, one of Serper's colleagues at Cybereason posted instructions to walk you through the process.
We haven't tried out Serper's method ourselves, and while we can vouch for his character — he's a well-known and well-respected malware researcher — you'll be doing this at your own risk.
UPDATE Oct. 26: We finally tried Serper's vaccination method and, while we didn't download and install a copy of Bad Rabbit to see if we were protected, we can happily report that the procedure seems to have had no ill effect upon our Windows 10 machine.
Meanwhile, the Bad Rabbit infection spread seems to have stopped, or at least slowed to a crawl. Symantec reported that the vast majority of Bad Rabbit infections occurred within a couple of hours on Tuesday, and on Wednesday, multiple security firms reported that Bad Rabbit's distribution and control websites had been taken offline.
There were indications that the perpetrators were the same as those behind the NotPetya attacks upon Ukrainian businesses in May, but as with all possibly state-sponsored malware, attribution is never certain.
For the moment, our recommendations remain the same — install and run good antivirus software, which will stop Bad Rabbit infection. Following Amit Serper's inoculation procedure doesn't seem to hurt either.