In 2017, two of the largest epidemics of cryptographers have already been recorded – we are talking about the notoriously sensational WannaCry and ExPetr (also Petya and NotPetya at the same time) – and now it looks like the third one is starting. This time the cryptographer is called Bad Rabbit – at least this name is written on the page in the darknet, on which its creators send for clarifying the details.
So far, several Russian media have been affected by this encryptor, including Interfax and Fontanka . Also about the hacker attack – possibly connected with the same Bad Rabbit, – the airport of Odessa informs.
For the decryption of files, attackers require 0.05 bitokoya, which is at the current rate approximately equivalent to 283 dollars or 15 700 rubles.
The details of the attack and how the contagion is spread are not yet known, as it is not known whether it is possible to decrypt the files. Kaspersky Lab experts are investigating this attack – we will update this post as they find new information.
Most victims of the attack are in Russia. We also observe similar attacks in Ukraine, Turkey and Germany, but in much lesser numbers. Maliciously spreads through a number of infected sites of Russian media. All signs indicate that this is a targeted attack on corporate networks. We use methods similar to those we saw in the ExPetr attack, but we can not confirm the connection with ExPetr.
It is already known that Kaspersky Lab products detect one of the malicious components as UDS: DangerousObject.Multi.Generic (using the Kaspersky Security Network cloud service), like PDM: Trojan.Win32.Generic (using System Watcher), and also Trojan – Ransom . Win 32. Gen. ftl .
In order not to fall prey to a new epidemic of the “Bad Rabbit”, we recommend the following:
For users of our protective solutions:
- Check if the components of Kaspersky Security Network and “Activity Monitoring” (also System Watcher) are included in your security solution. If not – be sure to turn it on.
For those who do not use Kaspersky Lab’s security solutions:
- Block the execution of the file c: \ windows \ infpub.dat, C: \ Windows \ cscc.dat.
- Disable (if possible) the use of the WMI service.
- Make a backup.
- Do not pay ransom.