Just a few months back Wannacrypt crippled the world in fear, Now a new ransomware has took place across Europe and other few places. The new ransomeware is called Bad Rabbit. It uses brute-force NTLM login credentials for Windows and different exploits to gain access and encrypt your files after getting NT/System.
So what happens after being a victim?
Victims of this ransomware tweeting photos and saying they are being redirected to a site which is available on darkweb from legitimate news websites. Users are promoted to install malware through different adware techniques disguised as different tools. After installation the files get encrypted and victims asks for payment via bitcoin of 0.05 BTC which is ($280) in order to re-access you files which were encrypted.
Kaspersky Lab has identified almost 200 targets in Turkey and Germany.
What Happens after malware installed?
When your redirect towards websites which contains malware after getting infected. The malicious DLL file is saved as C:\Windows\infpub.dat which in turn install the malicious executable file. The spyware also installs a modified bootloader, so users lose complete access to their computer.
“What’s more,acts as a typical file-encrypting ransomware: it finds the victim’s data files using an embedded extension list and encrypts them using the criminal’s public RSA-2048 key,” said researchers at Kaspersky Lab.
A tweet by Group-IB shows a countdown timer displayed along with the message on-screen. Victims have around 40 hours to make payment, and once the timer overflows, the ransom will increase.
Interfax Ltd, a major news company in Russia, tweeted that their systems have been affected. The Ukrainian Computer Emergency Response Team said Odessa Airport was also hit. Also, there are reports of Bad Rabbit attack in Germany, Turkey, Poland, Bulgaria and South Korea.
— Anton Ivanov (@antonivanovm) October 24, 2017
Vaccination for the Ukraine round 2? Wanna stop #badrabbit?
Create a file called c:\windows\infpub.dat and remove all write permissions for it. This should keep the malware from encrypting. Testing it now… pic.twitter.com/3MSSH8WKPb
— Amit Serper (@0xAmit) October 24, 2017
Initially, few security products were capable of stopping the outbreak: a sample of the malware uploaded to analysis service VirusTotal showed just four products correctly flagging it as malicious as of 4:30pm on Tuesday, including ones made by Kaspersky and Symantec. By then, the outbreak was well and truly underway. As of Wednesday morning, almost two thirds of updated security products correctly identify the malware.
Users without working antivirus protection can also reportedly protect themselves with a “vaccine” by creating a file on their computer before the malware does.