Toward the end of June, a global cyberattack caused by the NotPetya malware, originating in Russia and Ukraine, affected thousands of business computers in more than 60 countries. Today, the fear of a new global cyberattack is hovering over the critical infrastructures of those two countries (as well as Turkey and Germany, albeit to a lesser extent) after nearly 200 companies were affected by the “Bad Rabbit” malware.
What is “Bad Rabbit”?
It shares some similarities with WannaCry and Petya, although it almost certainly won’t reach the same propagation levels as those attacks.
Until now, it has been distributed via compromised web pages that request the user to install a false Flash Player update. Once installed, it blocks access to the computer’s data and demands a ransom.
It works similarly to other types of ransomware: it encrypts the content of the computer and requires a payment for its release, in this case 0.05 bitcoins (about $280).
What makes this malware more dangerous than a typical ransomware with a similar distribution is its ability to spread across the company’s internal network.
PandaLabs has thoroughly analyzed and categorized this threat, defining it as W32/Ransom.G.Worm. These are the primary files that it is comprised of (MD5 – file name):
fbbdc39af1139aebba4da004475e8839 – install_flash_player.exe
1d724f95c61f1055f0d02c2154bbccd3 – C:\Windows\infpub.dat
b14d8faf7f0cbcfad051cefe5f39645f – C:\Windows\dispci.exe
Its predecessor GoldenEye/NotPetya originally appeared to be a WannaCry-style ransomware, but an in-depth analysis revealed that its authors did not really intend to release the hijacked data, but rather to completely destroy it. In this new case, however, we have verified that the data is merely “kidnapped”, and the attack is financially motivated.
We’re looking at a ransomware that is very similar to NotPetya. One of the main differences, besides not using the EternalBlue exploit, is in the way it encrypts the disk.
According to what we’ve been able to observe until present, compromised web pages were used as an entry vector, posing as a Flash Player update. The user has to download and execute the file. Once executed, it extracts the file in C:\Windows\infpub.dat. In reality, the file is a dll, and it is executed through the following command: rundll32.exe C:\Windows\infpub.dat,#1 15
For more details, read the PandaLabs’ technical analysis here.
Panda Security’s Clients Can Rest Easy
Since this attack first appeared on the night of October 24 in Europe, our laboratory issued alerts on its first attempts thanks to Panda Adaptive Defense.
Continuous monitoring of absolutely all running processes, as well as advanced prevention, detection, and remediation capabilities, allowed Adaptive Defense to detect and block the attack before it attempted to activate itself. In this way, we were able to analyze the threat and dissect the malware to replicate the disinfection capabilities across all of Panda Security’s services.
Once again, we can confirm that none of our clients were affected by this new threat, since all of our solutions protected against it automatically with no need to install updates.
Panda Security continues to position itself as the most efficient advanced cybersecurity provider on the market.
We will keep you informed of any new information.