On October 24th, 2017; reports from a number of well-known anti-virus vendors state that a new family called Bad Rabbit Ransomware has hit businesses and home users through Europe at this stage.
It’s the third major ransomware outbreak in 2017 joining NotPetya (https://en.wikipedia.org/wiki/Petya_(malware)) and WannaCry (https://en.wikipedia.org/wiki/WannaCry_ransomware_attack).
Where (geographically) is Bad Rabbit impacting?
Currently, reports have come from Russia, Ukraine, Turkey and Germany at this stage. However; this can spread anywhere.
Bad Rabbit distribution and how to tell who’s infected?
Bad Rabbit hides behind legitimate websites as an Adobe flash installation; which consequently requires user interaction to install and execute.
BadRabbit creates two scheduled tasks in Windows named ‘drogon’ and ‘rhaegal’ (after the dragons in Game of Thrones). Once executed; the processes will begin to encrypt the files on the machine.
How do I remove Bad Rabbit?
- Remove the infected machine from any network it’s connected to. This will stop any further the spread of infection.
- Perform a bare metal recovery from a backup. A bare metal recovery (if you have a backup that’s able to) will wipe everything related to Bad Rabbit completely rather than just replacing the encrypted files and potentially leaving the malware on the system.
More information about how valuable backups are in the event you’re hit with ransomware on our blog post at https://testmybackups.com/2017/10/21/ransomware-backups-last-line-of-defense/.
How much is the ransom for Bad Rabbit and should I pay it?
The site asks for payment of 0.05 Bitcoin (somewhere around $276 to $364 USD).
There is no guarantee you’ll get decryption key to decrypt your data. But most importantly, refusing to pay the ransom discourages future ransomware attacks.
While prevention is always better, user’s should also prepare for such an incident. We can help with this.