Organizations in Russia, Ukraine and now the U.S. are under siege from Bad Rabbit, a new strain of ransomware that started freezing computer systems in European countries then spread to the U.S. Tuesday. The Department of Homeland Security’s Computer Emergency Readiness Team issued an alert saying it had received “multiple reports” of infections.
Russia’s Interfax news agency reported on Twitter that the outbreak shut down some of its servers, forcing Interfax to rely on its Facebook account to deliver news.
Bad Rabbit Starts With Social Engineering
The outbreak appears to have started via files on hacked Russian media websites, using the popular social engineering trick of pretending to be an Adobe Flash installer. Once the link is clicked, several things happen:
- It grabs all of your saved passwords and any passwords you’ve used since logging in to your computer from memory and delivers them to the creators.
- Next, it uses a built-in dictionary attack that combines common usernames, such as root, administrator or guest, with common (weak) passwords in the dictionary.
- It encrypts your hard drive and then deletes the boot record, thus crippling your workstation. The boot record is the thing that loads windows when you turn your computer on.
So now your computer is completely useless, the bad players have all the data that was on your hard drive along with your passwords including the one you use to log on to your company’s network.
With previous versions of ransomware, criminals weren’t as interested in destroying end users’ workstations as they were the drives on the network. However, it is potentially more damaging as now the crooks have access to the network and possibly your bank account, Facebook page and any other password-protected sites you’ve visited since last rebooting your computer.
The cybercriminals are demanding a payment of 0.05 bitcoin, or about $275, from its victims, though it isn’t clear whether paying the ransom unlocks a computer’s files. Because this story is still developing, security specialists don’t yet have the signature files to be able to tell an authentic Adobe Flash update from a bad one. Therefore, we are advising our clients to NOT UPDATE ADOBE FLASH AT ALL.
Our malware prevention, antivirus, intrusion detection and intrusion prevention tools will protect our clients from losing their passwords. However, it will not prevent the bad guys from stealing the data on your hard drive and rendering the work station useless.
Once a computer has been bricked, it can take four to six hours to restore it. Depending on how many people in your company fall victim to this attack, the cost of downtime will undoubtedly be – at the very least – a pain in the neck or worse, a financial and legal nightmare.