Bad Rabbit ransomware: Everything you need to know

What is the Bad Rabbit ransomware?

The Bad Rabbit ransomware is a piece of malware that encrypts the user’s device until a ransom is paid. In 2017, this device-encrypting virus hit critical infrastructure in Europe, such as Ukraine’s Odesa International Airport, news agencies, and private companies. In a couple of months, this cyber extortion attack targeted devices in Germany, Ukraine, Russia, Bulgaria, Turkey, Japan, and the U.S.

Bad Rabbit spread through a drive-by download, a malicious tactic where users unknowingly downloaded malware simply by visiting a compromised website. In this case, some popular websites were infected by injecting malicious Javascript into their HTML body or into one of the .js files. However, once the device was infected, the ransomware used vulnerabilities in Microsoft Windows to spread across the network. We’ll come back to how Bad Rabbit works a bit later.

Who created Bad Rabbit?

Even after several years since its discovery, the attackers or the creators of the malware haven’t been identified. Some cyber researchers suggested that the malware is connected to the group that used NotPetya ransomware because these two pieces of malware exhibit some similarities. However, this theory is challenged by the fact that NotPetya is linked to Russian state-funded groups, while a large number of Bad Rabbit ransomware targets were objects in Russia.

The only confirmed detail was their apparent fondness for Game of Thrones. Some researchers have noticed that the malware code contains references to Grey Worm and Daenerys’ dragons – characters from the popular TV series.

Bad Rabbit vs. NotPetya

As we’ve mentioned, Bad Rabbit shares similarities with NotPetya, a ransomware that hit Windows computers in Europe and the U.S. around the same time as Bad Rabbit.

These pieces of malware are built in a similar way, and they share the region where most of the targets are located.

However, they also have significant differences, such as the different code bases. But even their attack methods differ. NotPetya used Eternal Blue, the Windows exploit leaked from the NSA (National Security Agency), to spread across company devices and networks automatically, destroying everything in its path. Bad Rabbit used infected websites for drive-by downloads — the user was prompted to update their Adobe Flash Player and had to confirm it for the infection to be successful.

How does the Bad Rabbit ransomware work?

So, what does the Bad Rabbit ransomware actually do? Like all ransomware, it locks your computer and demands you pay a ransom to get access back. Let’s look closer at how this attack worked:

1. Attackers find a vulnerable website and inject malicious code into it.
2. The user visiting the infected website is prompted to download a fake Adobe Flash Player update.
3. If the user accepts, a file named install_flash_player.exe is downloaded to the user’s device.
4. If the user opens the file, the malware downloads the remaining parts of the virus and executes it.
5. First, Bad Rabbit shuts off active security processes and downloads DiskCryptor, an encryption program.
6. Then, it schedules the execution of the main payload on the next computer restart and restarts the device.
7. After the computer restarts, Bad Rabbit starts encrypting files. At the same time, it’s looking for a predefined set of vulnerabilities to spread to other devices via the network.
8. Lastly, it installs its own bootloader and restarts the computer to display the ransomware note.

Generally, Bad Rabbit ransomware demanded 0.05 Bitcoin (around $250 at that time) to be paid within 40 hours, or the ransom would double in size. It’s interesting that the demands of the Bad Rabbit ransomware were some of the lowest, whereas other attackers demanded hundreds of thousands and even millions of dollars in Bitcoin.

What systems are vulnerable to Bad Rabbit?

Bad Rabbit ransomware primarily targeted Windows systems because several known vulnerabilities allowed it to spread across the network. For example, it exploited the Windows SMB protocol, which was also a target in other infamous ransomware attacks such as WannaCry and NotPetya.

The most vulnerable systems were those that were not updated, used unsupported Windows versions, such as XP or Vista, and lacked strong security measures.

Signs of a Bad Rabbit attack

Unlike stealthy viruses, ransomware is “fast” and “loud.” If your device is ever infected, you’re bound to find out pretty quickly. Usually, it’ll display a ransom note. While the Bad Rabbit ransomware directed its victims to a Tor website to find the instructions on how to pay the ransom, other notes may be different. For example, some attackers may pretend to be law enforcement agents who seized your computer because you did something unlawful.

One similarity is that all ransomware demands a ransom, often in Bitcoin. The note will probably include instructions on how to buy and send Bitcoin or, like Bad Rabbit, simply display a link with more details.

How can you prevent a Bad Rabbit Ransomware attack?

To stop Bad Rabbit in 2017, the best defense was keeping your software up to date. After updating the software yourself, you would have easily recognized the fake Adobe Flash Player update. Not to mention that updating software also fixes known vulnerabilities and prevents ransomware, like Bad Rabbit, from exploiting your system.

Preventing ransomware requires you to stay much more vigilant because the rate and scope of these attacks have risen significantly in the last few years. Protecting your devices includes double-checking links and attachments, creating regular backups, and using additional security tools, such as a VPN. Of course, you should also keep your system up to date.

What should you do if you experience a Bad Rabbit ransomware attack?

It’s hard to say if Bad Rabbit would use the same attack techniques now. But if it ever resurfaces, be wary of websites telling you to update your software. Similar notifications may mention winning the lottery or being responsible for a crime. The key is to stay calm. If you think you’re experiencing a Bad Rabbit attack, disconnect your computer from the internet first, use your smartphone to look for news about Bad Rabbit’s resurgence, and call cybersecurity professionals to help you clean your computer.