What Is Bad Rabbit Ransomware?

What do animals have to do with ransomware? Here’s a hint: not much.

Back in 2017, a ransomware outbreak paralyzed several organizations in Russia and Ukraine, with cases also occurring in Turkey, Germany, Bulgaria and Japan.

The malware became known as Bad Rabbit ransomware and was the third major spread of malware that year. After the initial outbreak, members of the cybersecurity community were confused about what exactly Bad Rabbit is.

So, what is Bad Rabbit ransomware—and what does Bad Rabbit do?

Bad Rabbit Ransomware: What Exactly Is It?

Designed to encrypt and lock files, Bad Rabbit is a type of ransomware that spreads through “drive-by-attacks” where insecure websites are compromised. It’s unclear who exactly is behind Bad Rabbit ransomware, but the cybersecurity community does know that whoever it is, they’re fans of Game of Thrones. The code contains references to Viserion, Drogon, and Rhaegal, the dragons featured in the famous show and novels.

Disguised as an Adobe Flash Installer, the malware doesn’t travel through traditional types of ransomware attacks like phishing emails, but rather through drive-by downloads on compromised websites. This means that a person could be exposed to the virus simply by visiting a malicious or compromised website and downloading files they believe to actually be Adobe updates.

So, while a person thinks they’re visiting a safe website, malware is downloaded from the cybercriminal’s infrastructure onto their computer. Bad Rabbit ransomware is embedded into websites using JavaScript injected into the site’s HTML code. Some members of the cybersecurity community believe the initial outbreak was a targeted attack that may have been months in the making, but that hasn’t been confirmed.

What Does Bad Rabbit Do?

Now that you have a better understanding of Bad Rabbit ransomware—and that it has nothing to do with actual rabbits—what does Bad Rabbit do?

While the downloaded file may look safe, it begins infecting the computer once opened. However, it isn’t installed automatically, and must be clicked on to actually lock the computer. When activated, the malicious installer shows a ransom note and payment page demanding a certain Bitcoin amount within a 40-hour deadline. It also displays a note that “no one will be able to recover files without our decryption service.”

Once Bad Rabbit has infected a computer, it attempts to spread across the network by using lists of simple username and password combinations (e.g., 1111, Password, Guest123) to try and force its way into other computers. If successful, Bad Rabbit deploys the ransomware, encrypts files, and moves onto the next device.

Bad Rabbit is understood to have hit media outlets in Russia, causing servers to crash during the cyber-attack. It also hit critical infrastructure organizations in the transportation sector in Ukraine, causing flight delays due to the manual processing of passenger data. Ukraine’s subway system was also affected, causing payment delays on customer service terminals.

Bad Rabbit Protection

Companies can reduce the risks posed by ransomware attacks—and ultimately protect themselves from Bad Rabbit ransomware—with a few simple steps.

1. Only download updates from a reliable source; if you need to download Adobe updates, download it from the Adobe website, not a third-party website
2. Perform regular backups
3. Enforce strong password controls
4. Have updated antivirus software
5. Implement network architecture and security controls that segment a corporate network

Bad Rabbit hasn’t affected companies in the U.S. yet, but organizations are strongly encouraged to advise their employees about Bad Rabbit ransomware attacks and remain aware of possible Bad Rabbit outbreaks.

Stay Protected With SiteLock

Now that you know what Bad Rabbit ransomware is, want to learn more about defending against cybercriminals? Read “What Is Ransomware?” to discover other ways that hackers hold sites hostage—and which four steps can help ensure yours isn’t one.