No other malware on the market puts users at such a disadvantage as ransomware. Several attacks including WannaCry and Petya have crippled entire countries from government to private businesses. Recently, a new wave of malware named Bad Rabbit has spread across Europe, Russia, Ukraine, Turkey and Germany. Bad Rabbit has its own payload, but it works similarly to Petya.
How the Malware Infects Computers
The attack stems from what is called “drive by” software downloads. You’ve probably run into them if you’ve ever seen popups for Adobe Flash. These popups tell users that then need to install the latest version of Adobe Flash to see a video, or they redirect users to another site where they download an unofficial copy of Flash. The download isn’t Adobe Flash at all. Instead, it’s an imposter that has malware attached to it.
Although the attack and payload are very similar to Petya, users must download and install the malware, which would make it seem like it’s harder for attackers to spread it. However, Bad Rabbit has made its way through these countries within only a few hours, which means that users are still susceptible to malicious downloads. The Adobe Flash drive by attack is nothing new, and users still haven’t learned to identify official downloads from the Adobe domain versus downloads on a third-party site masquerading as a Flash upgrade.
Bad Rabbit uses DiskCryptor, which is legitimate open-source software that can be downloaded and used to encrypt your hard drive. It uses RSA 2048 keys, so it’s unlikely that any security researches will be able to crack the key and help users recover their files. The only option you have is to pay the ransom, but there is no guarantee that the attackers will return a key after receiving it.
How Businesses Can Protect Themselves?
You can filter websites from employee access, but drive by popups can be added to any site. The best defense is to educate users and help them spot the red flags. In the case of Bad Rabbit, users should know that they should never download any software from an unofficial source. Adobe has deprecated Flash and will discontinue it as of 2020.
Businesses should also monitor their network for any malicious behavior by implementing not only traditional intrusion detection systems but more importantly deriving intelligence from these systems to address the wider impact of a potential breach. In many cases, this type of malware can be further suppressed when users are educated and proper controls are in place to help mitigate the risks internally.