Behind paralyzed servers in Eastern Europe - Bad Rabbit ransomware

Bad Rabbit ransomware used in global cyber attack: Ukraine, Russia among first targets

There are still many unanswered questions about BadRabbit ransomware

You would hardly miss the breaking news about the latest ransomware outbreak occurred on October 24. Not only the name of the virus suggests its naughty character, the source code delivers peculiar details as well. Now the cyber world's attention is focused to Bad Rabbit (Diskcoder.D) ransomware.

Bad Rabbit malware had the biggest impact on the eastern part of Europe – Ukraine and Russia. Nonetheless, Turkey, Bulgaria, and Germany[1] also reported the ransomware cases. Considering the wide range of the attack, the ransom price is quite small – 0.05 bitcoin (approximately $280).

The new ransomware attracted attention when it managed to break into major media corporations and Ukraine’s airport system and paralyzed them. The malware displayed the verdict on the computer screen – Petya’s ransom note[2].
Though it rips off the ransom note from the notorious ransomware, the source code and operation peculiarities are different.

References to Game of Thrones characters

One of the distinctive features of Bad Rabbit virus is its ability to exploit certain SMB vulnerabilities. Later on, victims are diverted to a malicious site hxxp://[3] site which suggests installing the fraudulent Flash Player.

If users activate install_flash_player.exe, the malware downloads C:\\Windows\\infpub.dat file. The latter then creates two additional files which assist in implementing full BadRabbit hijack. The malware also uses the executable file taken from free online encryption DiskCryptor service.

Interestingly, the malware launches further commands which include direct references to the three dragons from Game of Thrones series: Rhaegal, Drogon, and Viserion[4].

Besides encrypting data, the malware also modifies Master Boot settings (MBR) settings which only makes the malware more troublesome to deal with.

Prevention measures

Thanks to joint cybersecurity forces, the menacing malware is already detectable by most security applications[5]. What you can do is:

  • install latest Windows updates
  • update your anti-virus, anti-malware, and other security apps
  • do not download any Flash Player updates from random websites

Though at the moment Bad Rabbit targets only selected companies in Russia and Ukraine, it would be perilous to think that it will avoid other countries and ordinary users. It is still unknown what specific Windows vulnerabilities it exploits to break into servers.

Even if you happen to be an employee at the company in either of the above-mentioned companies, pay attention to the website name which urges you to update Flash player. The latter program promoted in random pages is most likely to be bait.

About the author
Julie Splinters
Julie Splinters - Anti-malware specialist

Julie Splinters is the News Editor of 2-spyware. Her bachelor was English Philology.

Contact Julie Splinters
About the company Esolutions