A new ransomware attack, ‘Bad Rabbit’ is on the rise and spreading across the globe at a fast pace. The ransomware’s first sign was seen in Russia and Ukraine on Tuesday and is now making its way across Europe.
After WannaCry and Petya, this is the third global cyber-attack to take place this year and by the looks of things, it is going leave the world in chaos unless you take preventive measures. Confirmed victims of the attack include Kiev subway system, Odessa airport, and Ministry of Infrastructure in Ukraine, along with Russian news agencies Interfax and Fontanka.
According to various cyber security experts, the source of the attack lies in an Adobe Flash update. Users download the fake update file from an infected website and then manually execute the ‘.exe’ file to infect themselves. However, there is more to it as the ransomware is spreading like wildfire once it infiltrates the network.
The attackers are demanding 0.05 Bitcoin as ransom to decrypt the infected systems. This translates into $280 in today’s exchange rate, which is a hefty amount considering numerous organizations have hundreds and thousands of systems.
So far, there is no news on the recovery of lost files due to bad Rabbit, either through payment or finding a glitch in its coding.
What is a (Bad Rabbit) Ransomware?
Unless you’ve been living under a rock, ransomware is a deadly cyber-attack that encrypts files or your entire system and demands ransom for unlocking. The malware hijacks your device and does not allow you to access its contents unless you pay ransom for decryption. It spreads through malicious software, spam emails, or disguises itself as an update (like in the case of Bad Rabbit).
Preventive Measures to Stop Bad Rabbit Attack
As dangerous as the ransomware sounds, there are steps that you can take to prevent the ransomware from attacking your system. Cybersecurity at Kaspersky Lab illustrates the following preventive measures:
- Make sure your antivirus software is up-to-date
- If you don’t have an antivirus installed, it better to grab hold of one
- Do not download or execute any Adobe Flash update
- Do not execute any files under this path: c:\windows\infpub.dat and c:\Windows\cscc.dat.
- Back up all your data as precaution
- Disable WMI services if possible
According to Amit Serper, a security researcher and malware analyst, there is a way to vaccinate your system from Bad Rabbit ransomware attack. Remove all permissions for executing the ‘cscc.dat’ file, a point we mentioned above as well.
I can confirm – Vaccination for #badrabbit:
Create the following files c:\windows\infpub.dat && c:\windows\cscc.dat – remove ALL PERMISSIONS (inheritance) and you are now vaccinated. 🙂 pic.twitter.com/5sXIyX3QJl
— Amit Serper (@0xAmit) October 24, 2017
How to Remove Permissions from ‘infpub.dat’ & ‘cscc.dat’ Files
If you don’t know how to remove permissions from infpub.dat and cscc.dat files, then follow these steps created by Amit Serper at Cybereason:
- Run cmd.exe as admin
- Type the following command:
echo “” > c:\windows\cscc.dat&&echo “” > c:\windows\infpub.dat
- Now right-click cscc.dat file and select Properties
- Go to Security tab and then hit Advance
- Hit Change Permissions
- Now select SYSTEM and click Edit
- Uncheck the box for ‘Include inheritable permissions from this object’s parents’
- A pop-up box will appear, click Remove
- And that’s it, you are done (make sure to repeat the process for the other file)
*Note: If you are running Windows 10, repeat the same process. The only difference is that instead of unchecking the inheritance box; click ‘disable inheritance button’ and then click ‘Remove all inherited permissions from this object’.
Flaws in Bad Rabbit can Help Users Recover Lost Files
There is still hope against the dying of light as researchers at Kaspersky found flaws in how Bad Rabbit operates. These flaws can be useful for users who have been affected by Bad Rabbit ransomware and might be able to recover their lost files.
The first flaw shows that the Bad Rabbit doesn’t delete shadow volume copies of the files it encrypts. They do this to prevent disk recovery software from recovering the unencrypted files. However, in Bad Rabbit’s case, the temporary files stored on shadow volume do not delete, so there is a chance you can recover the lost data.
The researchers found another flaw in Bad Rabbit and this relates to the decryption passwords. Kaspersky analysts extracted a password when debugging session and found it work. However, the problem with this is that the password is cleared once the PC reboots. Therefore, this is a long shot for recovering the lost files, but some lucky users have been successful.
Cyber security experts are analyzing the depths of this attack and issuing warning signals to all corporations and individuals. They have managed to identify the source of the attack and highlighted the precautionary measures you can take to stop Bad Rabbit from infecting your system.
We are monitoring the situation as we speak and will update this post on a regular basis, so watch out for this space. If you have come across this ransomware, drop us a comment below and share your tips & tricks or any query that you might have.