A third ransomware attack is on the rise and has already reached Brazil. After global cases involving WannaCry and ExPetr – also called by some experts Petya and NotPetya – the new malware that blocks computer data is Bad Rabbit. According to Kaspersky, the name appears on a darknet website linked to the virus with a ransom request note in bitcoin (common in cases of ransom).
- UPDATE: Not-Petya hackers are behind BadRabbit
- Understand why hackers call for ransomware ransomware ransomware
The initiative began in Russia and Ukraine and gained volume on Tuesday (24), causing delays at the Ukrainian airport in Odessa and affecting several media outlets in Russia, including the news agency Interfax and Fontanka.ru. Hours later, it affected the metro system in Kiev, Ukraine, which generated an alert for other mass services and finance companies in the region.
What is ransomware: five tips to protect yourself
The criminals behind the Bad Rabbit attack are demanding 0.05 bitcoin as a ransom – which is about $ 280 at the current cryptocurrency exchange rate. As in other cases, the virus uses a countdown timer to pressure the victim to pay the ransom as soon as possible. There are no guarantees, however, that when paying the requested amount in bitcoin, hackers will release their data on the PC.
BadRabbit Ransomware – Photo: Disclosure / Kaspersky
In Brazil, companies in the communications sector and other areas warned of the presence of ransomware this Wednesday morning (25). According to analysis by Kaspersky, a Russian antivirus manufacturer, the attack does not use exploits. It’s a drive-by attack: victims download a fake Adobe Flash Player installer from infected websites and manually launch the .exe file, infecting their PCs.
It is worth noting that this is an attack that works on Windows computers. Adobe, however, has already announced the end of Flash Player for 2020. In its place, html5 technology has been used.
That is, if you go to a website that requests Flash update to watch a video or have access to some content, do not do it via pop-ups from the website itself. You can find out if you are using the latest version on Adobe’s website and obtain a safe and original Flash download if you need to use it.
When you click the «Install» button, the download of an executable file starts. This file, found as install_flash_player.exe, is what causes your data to be blocked on the machine.
Distorted pop-up asks for update with fake Flash – Photo: Disclosure / ESET
«Our researchers detected a number of compromised sites, all news or media sites,» says the document published by Kaspersky. The security company, however, does not yet have information on the possibility of recovering files encrypted by the Bad Rabbit ransomware virus – either by paying the ransom or using a flaw in the malware code.
Kaspersky says that, for the time being, most of the victims of Bad Rabbit are in Russia. Similar attacks were also seen, albeit to a lesser extent, in Ukraine, Turkey and Germany. The antivirus maker also says the attack is aimed at corporate networks, using methods similar to those used in ExPetr, including part of the code.
PC screen blocked after installing fake Flash – Photo: Disclosure / ESET
According to ESET, Russia had more than half of the victims this morning, followed by Ukraine, Bulgaria, Turkey and also Japan. The manufacturer of NOD32 has also released a list of affected sites that should be avoided.
- Russia: 65%
- Ukraine: 12.2%
- Bulgaria: 10.2%
- Turkey: 6.4%
- Japan: 3.8%
- Others: 2.4%
- Read more: how ransomware spreads from one country to another
List of sites affected by Bad Rabbit that suggest fake Flash
- hxxp: // argumentiru[.]with
- hxxp: //www.fontanka[.]ru
- hxxp: // grupovo[.]bg
- hxxp: //www.sinematurk[.]with
- hxxp: //www.aica.co[.]jp
- hxxp: // spbvoditel[.]ru
- hxxp: // I argued[.]ru
- hxxp: //www.mediaport[.]ua
- hxxp: //blog.fontanka[.]ru
- hxxp: // an-crimea[.]ru
- hxxp: //www.t.ks[.]ua
- hxxp: // most-dnepr[.]info
- hxxp: //osvitaportal.com[.]ua
- hxxp: //www.otbrana[.]with
- hxxp: //calendar.fontanka[.]ru
- hxxp: //www.grupovo[.]bg
- hxxp: //www.pensionhotel[.]cz
- hxxp: //www.online812[.]ru
- hxxp: //www.imer[.]ro
- hxxp: //novayagazeta.spb[.]ru
- hxxp: //i24.com[.]ua
- hxxp: //bg.pensionhotel[.]with
- hxxp: // ankerch-crimea[.]ru
Information on propagation methods is still confusing. There are reports that the malware uses the same EternalBlue flaw to spread – which would make it closer to WannaCry and Not-Petya. Others claim that the virus attempts access via shares, using a predefined list of users and default passwords, obtained through Mimikatz. It is certain, however, that the malware uses DiskCryptor, a legitimate and open source software for full disk encryption.
Kaspersky suggests disabling Windows WMI to prevent network infections.
What is it for and what is WMI Provider Host? Ask questions in the forum.