IT Professionals this morning woke to the news that a new form of Ransomware is doing the rounds and is causing enough damage to get vendors (who still
provide signature based detection without behaviour based analytics) scrambling to release extra DAT files to prevent infection.
The Ransomware, dubbed BadRabbit, has initially been detected in Russia and the Ukraine, however there may also be instances of the infection spreading
to Turkey, Bulgaria Poland and South Korea and beyond, which means its only a matter of time before it hits these shores, if it hasn’t already!
BadRabbit falsely claims to be an update to Adobe Flash to trick people into installing it.
A Russian Digital Forensics company were the first to identify BadRabbit and they observed that it was pushed out to people who visited hacked Media Websites.
The identified infected websites are as follows…
This list obviously isn’t exhaustive.
Once up and running, the Mimikatz tool is used to extract file server login credentials from the computers memory. This was also used by NotPetya earlier
Once it has access to a systems files, the Malware makes changes to the master boot record on the boot drive, reboots the computer but rather than start
up the OS it instead shows the user a message that tells then their files are encrypted.
To decrypt the files, the user needs to buy a password from a .onion website hidden in the Tor network using crypto-coins.
To help prevent infection, ITB Partner McAfee have released a one-off DAT file.
We are in the process of contacting all of our customers to inform them of the threat, and where possible providing practical advice on how to stay safe.
If you would like to receive a copy of the McAfee DAT file contact us on 01865 595510.