What is it?

Despite the name, it’s not an influx of demented furry critters sent to destroy you by North Korea, but the latest Ransomware that could well be targeting UK businesses.

Bad Rabbit has spread from Eastern Europe and Turkey via Germany where a mixture of businesses, including accountants were infected.

Hot on the heels of Wannacry that caused havoc in the NHS, Bad Rabbit is extremely similar to the GoldenEye / NotPetya ransomware that cost businesses millions of dollars, including shipping giant Maersk and mail courier TNT who both estimated losses at around $300 million.

Bad Rabbit Ransomware 1

How does it spread?

The Bad Rabbit ransomware spreads through “drive-by attacks” where insecure websites are compromised. While you are visiting a legitimate website, a malware dropper that has been installed on the infected website is being downloaded disguised as an Adobe Flash installer.

When the innocent-looking file is opened it starts locking the infected computer. The malware isn’t installed automatically, which means it has to be clicked on to work.

Adobe Flash issues a lot of updates and it’s common for websites to ask you to install Flash to view content so it’s likely that many people will be duped.

Many past cyber threats are linked to Flash which is being discontinued in 2020.

If you do click on the malicious Flash installer your computer and servers will be locked and a ransom of $280 in Bitcoin is demanded for payment within 40 hours.

Bad Rabbit Ransomware 2

How can I protect myself?

Don’t use Flash….

Failing that make sure your computers and servers are patched to the latest security requirements and you have good working backups and recovery in place.

If you are a techy you can try the following preventative strategy –

***Note: Please check with your IT department before administering this***

Security researcher Amit Serper who works at Cybereason, claims that all you need to do is create two files (c:\windows\infpub.dat and c:\windows\cscc.dat) and remove all permissions from them. This means that even if you come into contact with Bad Rabbit, it will not be able to work its magic.

This technique has been confirmed as working by other security researchers, but Kaspersky suggests disabling the WMI service to prevent the spread of Bad Rabbit over a network ***Check with IT Department before disabling WMI***.

To do this, use the following steps:

  1. Press the Windows key and R simultaneously, type services.msc and press Enter.
  2. Locate the Windows Management Instrumentations entry, right click it and select Properties.
  3. Click the Stop button to stop the service, and from the Startup type drop-down menu select Disabled before clicking OK.