A new ransomware worm dubbed “Bad Rabbit” began spreading across the world Tuesday (Oct. 24), and it appeared to be a much-modified version of the NotPetya worm that hit eastern Europe in June.
The Bad Rabbit malware enters victims computers with a phony Adobe Flash Player installer posted on a hacked website. (Flash Player, both real and fake, is a favorite cyber-criminal tool.) The initial infections came from Russian-language news sites, one of which seemed to have been actively infecting visitors even as it reported on the malware outbreak.
Some reports said websites based in Denmark, Turkey and Ireland had also been corrupted with the fake Flash installer.
After it has infected the initial machine in a network, Bad Rabbit uses the open-source tool MimiKatz to find any login credentials stored on the machine, then tries to use those credentials to spread to other machines.
Once it has spread as far as it can through a network, Bad Rabbit encrypts all files of commonly used Windows Office, image, video, audio, email and archive filetypes on infected Windows machines, using the open-source DiskCryptor utility, and posts a ransom note. The victim is instructed to send 0.05 bitcoin (about $280) to a specific Bitcoin wallet.
Here is an example of the Ransomware screen:
The best advice I can give you is if you are unsure about an Adobe Flash Player update, don’t install it.