RansomwareNewz Desk – Bad Rabbit Special

Welcome to RWNZ outta Boston where, of course, the big ransomware news of the last 48 hours is Bad Rabbit – the latest cyberattack that’s sweeping across Europe.

After parts of the United Kingdom were recently battered by Hurricane Ophelia and Storm Brian, IT professionals are battening down the hatches at the prospect of another huge ransomware attack.

But could Bad Rabbit rival WannaCry and Petya/NotPetya in size and scope, or is it a storm in a teacup?

Let’s take a closer look by jumping…


The Bad Rabbit outbreak appears to have started in Russia and Ukraine, where it affected organizations including Russian news/media agencies, Kiev’s Metro, Odessa Airport and the Ministry of Infrastructure of Ukraine.

The “new mass cyberattack” is targeting corporate networks and, once infected, victims are directed to a Tor-hidden website where a ransom of 0.05 bitcoin ($288) is demanded to unlock encrypted systems within (we think) 42 hours.

While 42 is the answer to life, the universe and everything, one of the special numbers in Lost…

AND one of the numbers in Donnie Darko’s countdown “until the world ends,” thankfully the Bad Rabbit countdown doesn’t lead to RABBITGEDDON – it only increases the ransom when it hits zero.

No exploits (like the FBI-leaked EternalBlue exploit) were used, so the victim would have to manually execute the malware dropper, which pretends to be an Adobe Flash installer. We’ve detected a number of compromised websites, all of which were news or media websites.” said Russian cybersecurity company, Kaspersky Lab, who also suggest “disabling WMI service to prevent the malware from spreading over your network.”

Bad Rabbit ransomware uses DiskCryptor, an open source full drive encryption software, to encrypt files on infected computers with RSA 2048 keys. What makes it different and dangerous is its ability to spread as a worm and not just through email attachments or vulnerable web plugins.


Just as fluffy little rabbit tails and Donald Trump’s hair share DNA, Crowdstrike are reporting that Bad Rabbit and NotPetya’s DLL (Dynamic Link Library) share 67% of the same code, indicating the two ransomware variants are closely related, potentially even the work of the same threat actor but since we still don’t know who was behind Petya, it’s hard to say.

Russian and Eastern European cybercriminal organizations usually avoid attacking the ‘Motherland’, so this is unlikely to be a Russian group.

What we do know is that the hackers are Game of Thrones geeks, because just like a recent Locky variant, this strain of ransomware contains references to the show, namely Daenerys’ dragons Viserion, Drogon, and Rhaegal.


This ransomware may not breathe fire, but just like real rabbits, Bad Rabbit is multiplying fast and has already made its way from Russia and The Ukraine to Bulgaria, Turkey, Germany and South Korea like an ill wind.

On Wednesday, Avast reported the first Bad Rabbit infections on U.S. soil, the Czechia-based cybersecurity firm adding “We expect a growing number of detections in the hours ahead.”


If you’ve frozen in panic at the prospect of another huge ransomware attack like… well a rabbit in headlights, there is light at the end of the tunnel…

Malware analyst, Amit Serper thinks that Bad Rabbit has been “blown out of all proportion” and has successfully found a vaccine. Just follow the instructions in his above tweet.

Amit may be known as the “Florence Nightingale of #NotPetya” but this time he’s more like a one-man myxomatosis, single-handedly bringing down this floppy-eared cyberattack. Unfortunately, with only one thousand retweets, Amit’s vaccine by no means spells the end of Bad Rabbit, but it may hold back the floodwaters.

We’ll bring you updates as we hear them and you can rest assured that no real rabbits were harmed in the Bad Rabbit outbreak.

They were all killed.



Leave a Reply

Your email address will not be published. Required fields are marked *