After the various and vicious ransomware attacks in mid-2017, led by "WannaCry" Ransomware; the latter which caused enormous damage to thousands of systems and workstations. The Ransomware programmers hit again with a brand-new malicious virus called "Bad Rabbit".
This virus has become viral in recent weeks, here in the details:
On the 24th October 2017, a new ransomware codenamed “Bad Rabbit” has been discovered and is now rapidly spreading across countries such as Russia, Ukraine, Germany, etc. Bad Rabbit infects a network when one person inadvertently runs a “fake” Adobe Flash Player installer that has been manipulated to look like the real deal.
Bearing similarities with WannaCry & Petya Ransomware, Bad Rabbit encrypts Windows, video and audio files. Through hacked websites, it prompt out fake Adobe Flash update to the user to install it. Two encrypted files named “-infpub.dat” and “dispci.exe” will be installed and lock the documents in the system. Infected UI page shown in the picture:
After infecting one machine in a network - one computer in an office, for example - Bad Rabbit can find any login details stored on the machine, which it will use to spread to other machines. The malware will lock users out and demand a ransom.
The extensions being encrypted as per below:
.3ds .7z .accdb .ai .asm .asp .aspx .avhd .back .bak .bmp .brw .c .cab .cc .cer .cfg .conf .cpp .crt .cs .ctl .cxx .dbf .der .dib .disk .djvu .doc .docx .dwg .eml .fdb .gz .h .hdd .hpp .hxx .iso .java .jfif .jpe .jpeg .jpg .js .kdbx .key .mail .mdb .msg .nrg .odc .odf .odg .odi .odm .odp .ods .odt .ora .ost .ova .ovf .p12 .p7b .p7c .pdf .pem .pfx .php .pmf .png .ppt .pptx .ps1 .pst .pvi .py .pyc .pyw .qcow .qcow2 .rar .rb .rtf .scm .sln .sql .tar .tib .tif .tiff .vb .vbox .vbs .vcb .vdi .vfd .vhd .vhdx .vmc .vmdk .vmsd .vmtm .vmx .vsdx .vsv .work .xls .xlsx .xml .xvd .zip
Infected users will also find a “Readme.txt” file in the system root folder, which contains the information on how to pay the ransom.
What Can I Do?
1. To prevent malware spreads across the network, disable the WMI services.
2. Disable TCP 135/139/445 ports.
3. Please use higher security password on PC in the intranet. It is recommended to use a mix of capital letters, numbers and symbols.
4. Make sure your anti-virus software is up-to-date.
As always, HAWASLY has the solution.
we have a wide range of professional anti-virus products, produced by the world's most powerful labs; dedicated to deal with such aggressive attacks.
You can contact us and inquire about products to get the optimized product which is best suited to your requirements and needs.