{"id":11993,"date":"2017-10-25T10:21:14","date_gmt":"2017-10-25T09:21:14","guid":{"rendered":"https:\/\/www.kaspersky.co.uk\/blog\/?p=11993"},"modified":"2019-11-22T10:06:34","modified_gmt":"2019-11-22T10:06:34","slug":"bad-rabbit-ransomware","status":"publish","type":"post","link":"https:\/\/www.kaspersky.co.uk\/blog\/bad-rabbit-ransomware\/11993\/","title":{"rendered":"Bad Rabbit: A new ransomware epidemic is on the rise"},"content":{"rendered":"

The post is being updated as our experts find new details on the malware.<\/strong><\/p>\n

We\u2019ve already seen two large-scale ransomware attacks this year \u2014 we\u2019re talking about the infamous WannaCry<\/a> and ExPetr<\/a> (also known as Petya and NotPetya). It seems that a third attack is on the rise: The new malware is called Bad Rabbit \u2014 at least, that\u2019s the name indicated by the darknet website linked in the ransom note.<\/p>\n

What is known at the moment is that Bad Rabbit ransomware has infected several big Russian media outlets, with Interfax news agency and Fontanka.ru among the confirmed victims of the malware. Odessa International Airport has reported on a cyberattack on its information system, though whether it\u2019s the same attack is not yet clear.<\/p>\n

The criminals behind the Bad Rabbit attack are demanding 0.05 bitcoin as ransom \u2014 that\u2019s roughly $280 at the current exchange rate.<\/p>\n

\"\"<\/p>\n

According to our findings, the attack doesn\u2019t use exploits. It is a drive-by attack: Victims download a fake Adobe Flash installer from infected websites and manually launch the .exe file, thus infecting themselves. Our researchers have detected a number of compromised websites, all news or media sites.<\/p>\n

Whether it\u2019s possible to get back files encrypted by Bad Rabbit (either by paying the ransom or by using some glitch in the ransomware code) isn\u2019t yet known. Kaspersky Lab antivirus experts are investigating the attack, and we will be updating this post with their findings.<\/p>\n

According to our data, most of the victims of these attacks are located in Russia. We have also seen similar but fewer attacks in Ukraine, Turkey, and Germany. This ransomware has infected devices through a number of hacked Russian media websites. Based on our investigation, this is a targeted attack against corporate networks, using methods similar to those used in the ExPetr attack. However, we cannot confirm it is related to ExPetr. We continue our investigation. In the meantime, you can find more technical details in this post on Securelist<\/a>.<\/p>\n

Kaspersky Lab\u2019s products detect the attack with the following verdicts: UDS:DangerousObject.Multi.Generic<\/em> (detected by Kaspersky Security Network) and PDM:Trojan.Win32.Generic<\/em> (detected by System Watcher).<\/p>\n\n

To avoid becoming a victim of Bad Rabbit:<\/p>\n

Users of Kaspersky Lab products:<\/strong><\/p>\n