The U.S. government has issued a warning about a new ransomware attack that spread through Russia and Ukraine and into other countries around the world.
Cybersecurity experts said the ransomware — which posed as an Adobe update before locking down computers and demanding money for people to get their files back — targeted Russian media companies and Ukrainian transportation systems. It has also been detected in other countries including the U.S., Germany and Japan.
Dubbed “Bad Rabbit,” the virus is the latest example of cybercriminals using ransomware to try to extort money from victims across the globe. Two major international attacks earlier this year — NotPetya and Wannacry — caused widespread disruption affecting businesses, government institutions and hospitals.
When Bad Rabbit infects a computer, it seizes files and demands a ransom. Experts and government agencies advise victims not to pay up, warning that there’s no guarantee they will get their files back.
On Tuesday, the virus attacked Russian media groups Interfax and Fontanka, and transportation targets in Ukraine including Odessa’s airport, Kiev’s subway and the country’s Ministry of Infrastructure of Ukraine, according to Russian cybersecurity firm Group-IB. Interfax confirmed its servers had gone down due to a cyberattack.
Most of the victims were located in Russia, but attacks were also observed in Ukraine, Turkey, and Germany. Cybersecurity firm ESET also identified cases of Bad Rabbit in Japan and Bulgaria. Another company, Avast, says the ransomware has been detected in the U.S., South Korea and Poland.
Virus used popular malware trick
The Bad Rabbit ransomware infiltrated computers by posing as an Adobe Flash installer on compromised news and media websites. It serves as a reminder that people should never download apps or software from pop-up advertisements or websites that don’t belong to the software company.
ESET says once the ransomware infected a machine, it scanned the network for shared folders with common names and attempted to steal and exploit user credentials to get on other computers.
According to malware researcher James Emery-Callcott, the ransomware campaign is slowly dying down.
“As far as I can see, the attacker’s server is no longer live and most of the infected sites hosting the script that gives the Flash update prompt” have fixed the issue, he said. “Fake Flash updates are an incredibly popular method of distributing malware these days. Hopefully people will start to realize that when you get an unsolicited Flash update, it’s generally going to be bad.”
Researchers say Bad Rabbit doesn’t use EternalBlue, the Windows exploit that was leaked in a batch of hacking tools believed to belong to the U.S. National Security Agency. The NotPetya and WannaCry ransomware attacks did use EternalBlue.
Many anti-virus software detects Bad Rabbit, including Windows Defender. A researcher from Cybereason discovered a “vaccine” that the company said can protect machines from infection.
So what now?
Hoola Tech is working on a solution to the Bad Rabbit virus. If you feel that your network has been exposed to the virus, contact us immediately.
Remember to not download files or software updates from pop-ups or web pages that don’t belong to the software company. Do not click on suspicious sites or links. Our team is ready to provide protection and recovery services for your network.
To read the original Bad Rabbit article, click here.