Global Attack by Badrabbit Ransomware

The business world has hardly stood up after the global WannaCry shock, Badrabbit Ransomware is here to hit hard again. This dangerous malware infection is also known as Diskcoder.D. Although this severe threat is known to be a global phenomenon already, it has mainly targeted major companies in Eastern Europe, such as the Ukraine and Russia. Our research also indicates several attacks in Germany, Bulgaria, and Turkey as well. As a matter of fact, a Ukrainian software company called MeDoc has been accused of letting this beast loose on the web, the company obviously denies such accusations. If this dangerous ransomware program has managed to infiltrate your system or your server, there is a good chance that all your hard drives have been encrypted with a deadly combination of impossible-to-crack algorithms. Hopefully, you have a recently saved backup of your files, which you can use to restore your computer or server after you remove Badrabbit Ransomware if that is the path you choose in the end. It is important for us to mention that experience shows that cyber criminals rarely deliver the promised decryption key after victims pay the demanded ransom fee.

A few days ago Badrabbit Ransomware started its vicious attacks and paralyzed major media corporations as well as the Kiev Metro, Odessa International Airport, and infected several banks and large companies like “Maersk“ and “Rosneft.” It seems that this ransomware program is a new variant of the infamous Petya Ransomware. This malware infection is spread as a fake Flash update (install_flash_player.exe) that can be downloaded from compromised websites. It is possible that you land on an unreliable website where you would like to watch on online streaming video or any other content that may require Flash, but instead of the content, you will see a pop-up window coming up that claims that you need to install the latest Adobe Flash version in order to view the targeted content. The worst you can do in this situation is to fall for this trick and click to install.

No wonder why it is so important that you only use official website to download updates and software as well. You cannot trust unfamiliar and suspicious file-sharing pages since these mostly promote bundled malicious threats alongside a possibly working free program. It is also essential that you do not click on third-party advertisements when you suddenly land on questionable pages since one click on a corrupt ad or link may also forward you to a fake Flash update website. The same can happen when your computer is infected with adware. Such an infection can redirect you to malicious pages or offer you unsafe third-party banner and pop-up ads that can also display such fake Flash update messages. All in all, it is important that your system is always clean not to end up with further malicious threats.

Please note that once you start up the fake Flash installer, you cannot delete Badrabbit Ransomware without losing your files to encryption. The malicious executable is placed in the "Win32/Filecoder.D" folder. Once you activate it, it downloads C:\Windows\infpub.dat file in the background, which creates to executable file on your computer through which this dangerous ransomware can operate. Badrabbit Ransomware uses a combination of RSA-2048 and AES-128-CBC algorithms to encrypt your full hard drive. The affected files get a plain ".encrypted" extension.

This ransomware does not only encrypt your files, it may also use Mimikatz, which is an application to collect and steal sensitive information like banking details, passwords, and logins. It may also modifies Master Boot (MBR) settings, which makes it even more difficult to remove Badrabbit Ransomware. Once the operations have finished, this malware infection displays its ransom note on your screen that seems to be identical to Petya Ransomware's. These criminals demand 0.05 Bitcoins ($287) to be sent within 41 hours; or else, the ransom fee increases. This amount cannot be called high if we consider that this ransomware mainly attacks huge corporations. The usual ransom fee in such cases can soar up to thousands of US dollars worth of Bitcoins.

It is always risky to pay the ransom fee because there is never any guarantee that the cyber criminals behind the attack will actually send the decryption key or tool. To be frank, it is more likely to get infected by them for a second round than receiving the key. Of course, in the case of a company, it is not really the choice or decision of a single user as all the computers can be affected when the main server is paralyzed. Hopefully, this new wave of cyber attack will quite down soon and every one will be able to get back to business as usual. This is definitely a good lesson for all of us about backing up our drives and preventing similar nightmares from happening by protecting our PC with profession anti-malware software.