What exactly is Bad Rabbit?
First detected by Kaspersky Lab, Bad Rabbit isn’t an exploit-driven attack but is a drive-by one, infecting websites with fake Adobe Flash installers. Once a user downloads the installer and runs it manually, he/she gets infected by the ransomware which proceeds to encrypt files stored on the computer.
The security firm adds that several big Russian media outlets like Interfax news agency and Fontanka.ru have been victimised by the ransomware. At the same time, the ransomware has likely spread its wings to other countries like Ukraine, Turkey, and Germany. According to recent reports, the ransomware may also have affected the Odessa airport and the Kiev metro system.
Initial analysis by cyber experts suggests that Bad Rabbit could be a variant of NotPetya, a sophisticated ransomware that affected operations at global firms like Danish shipping company Maersk, Russian oil giant Rosneft, aircraft manufacturer Antonov, US pharmaceutical giant Merck as well as its subsidiary Merck Sharp & Dohme (MSD) in the UK.
Kaspersky Lab says even though Bad Rabbit is being used by hackers to gain control over corporate servers like NotPetya was in June, it doesn’t have any evidence yet to prove that the two ransomware strains are related.
However, Steven Malone, Cyber Resilience Expert at Mimecast, says that Big Rabbit is indeed a variant of NotPetya since both of them use the same SMB flaws to spread laterally once inside a network.
‘This latest outbreak confirms that attackers will reuse old code as long as it still has success. Indications are that this new variant continues to have success,’ says Tony Rowan, Chief Security Consultant at SentinelOne.