It hasn’t even been a year since the last major ransomware attack, WannaCry, but the world is already witnessing the next major attack. On Tuesday morning major organisations and governments departments in Russia and the Ukraine were hit with a new string of the NotPetya ransomware called Bad Rabbit. The ransomware works almost identically to the WannaCry variant of the attack, infecting host devices, encrypting their data and refusing to allow them access to it until a 0.05 Bitcoin ($380) ransom has been paid.
Bad Rabbit’s known victims currently include many Ukrainian government agencies as well as Russian transport networks and airports. This has resulted in widespread chaos in the eastern European countries, with major transport delays, police departments being stalled and numbers businesses being forced to close. There have also been reports of multiple victims located in the US and many other regions around the world according to US officials.
What makes this sinister attack possible is its entirely rewritten code, giving it the ability to bypass security updates released by software and device manufacturers. Bad Rabbit’s software code is almost identical to that used by WannaCry and NotPetya, although major sections have been rewritten solely to bypass these security updates and prey on ‘secure’ devices.
How did it spread?
Kaspersky stated that the attackers have gone as far as developing and releasing fake Flash Player updates to ‘spread’ across the web and ‘harvest’ sensitive information from thousands of devices. This information could then be used to unlock and encrypt each device.
Unfortunately, at the time of writing, the malware is still unable to be detected by almost all anti-virus programs, leaving the majority of the world’s devices vulnerable to the attack.
Could Bad Rabbit be a ploy?
Kaspersky Labs and RiskIQ have suggested that the Bad Rabbit team has been planning this attack for several months, as far back as early 2016. This begs the question, why now? Why has the Bad Rabbit attack suddenly appeared now, and is it masking an even more sinister attack?
There have been tips and assistance messages released by numerous firms, including Kaspersky Labs who stated, “Block the execution of files c:\windows\infpub.dat and c:\Windows\cscc.dat,” as well as to, “Disable WMI service (if it’s possible in your environment) to prevent the malware from spreading over your network.”
Tips have also been released by theVPN.guru stating the use of a VPN service can partially protect users from attacks, as “their IP address and data is hidden.” More advanced VPN services have also begun “blocking suspicious links”, further protecting VPN users.
All major firms have also urged victims to refrain from paying the ransom as tracking the currency is impossible, leaving all payments untraceable and is likely further funding these attacks. These payments could even be being transferred to ISIS militants or North Korea, which is currently under major sanctions.