When news broke of the third major ransomware outbreak of the year, there was lots of confusion. Now the dust has settled, we can dig down into what exactly “Bad Rabbit” is.
As per the media reports, many computers have been encrypted with this cyber-attack. Public sources have confirmed that Kiev Metro’s computer systems along with Odessa airport as well as other numerous organizations from Russia have been affected. The malware used for this cyber-attack was “Disk Coder.D” – a new variant of the ransomware which popularly ran by the name of “Petya”. The previous cyber-attack by Disk Coder left damages on a global scale in June 2017.
ESET’s telemetry system has reported numerous occurrences of Disk Coder. D within Russia and Ukraine however, there are detections of this cyber-attack on computers from Turkey, Bulgaria and a few other countries as well.
A comprehensive analysis of this malware is currently being news Ukraine worked upon by ESET’s security researchers. As per their preliminary findings, Disk Coder. D uses the Mimikatz tool to extract the credentials from affected systems. Their findings and analysis are ongoing, and we will keep you informed as soon as further details are revealed.
The ESET telemetry system also informs that Ukraine accounts only for 12.2% from the total number of times they saw Bad Rabbit infiltration. Following are the remaining statistics:
The distribution of countries was compromised by Bad Rabbit accordingly. Interestingly, all these countries were hit at the same time. It is quite likely that the group already had their foot inside the network of the affected organizations.
It’s definitely ransomware
Those unfortunate enough to fall victim to the attack quickly realized what had happened because the ransomware isn’t subtle – it presents victims with a ransom note telling them their files are “no longer accessible” and “no one will be able to recover them without our decryption service”. Victims are directed to a Tor payment page and are presented with a countdown timer. Pay within the first 40 hours or so, they’re told, and the payment for decrypting files is 0.05 bitcoin – around $285. Those who don’t pay the ransom before the timer reaches zero are told the fee will go up and they’ll have to pay more. The encryption uses DiskCryptor, which is open source legitimate and software used for full drive encryption. Keys are generated using CryptGenRandom and then protected by a hardcoded RSA 2048 public key.