The ins and outs of Bad Rabbit ransomware: what you need to know now

The new Bad Rabbit ransomware, first seen on October 24, 2017,  has been making a lot of headlines this week, and for good reason.

Bad Rabbit tried to fool the user by pretending to be an Adobe Flash update. But first, a little background….

Adobe Flash, a particular pain point for most security experts, is marching slowly to its ultimate demise, set for 2020. For years, the cyber industry has warned about its potential dangers, recommending that computer users disable or uninstall Flash.

Flash was originally introduced by Adobe to deliver Internet users rich content to static web experiences. Many millions of people downloaded Flash so they could watch movies or games, while Internet marketeers used it to display rich ads. Because Flash was so widely adopted, it became an really attractive target for hackers. Flash has largely been replaced by other more efficient and secure technologies, but according to W3, 5.8% of websites out there still use Flash.

How Bad Rabbit ransomware spreads

The way this Bad Rabbit ransomware spreads is by infecting legitimate websites. Media reports have estimated hundreds of websites, including news outlets, are unknowingly peddling this ransomware.

This type of attack is known as a drive-by attack. When an innocent web user visits a website infected with Bad Rabbit, the malicious code hidden on the website will try to install what it purports to be an Adobe Flash update, but is in actual fact ransomware designed to lock and encrypt for files until you pay a ransom.

“No exploits are used, rather visitors to compromised websites — some of which have been compromised since June — are told that they need to install a Flash update. Of course, this is no Flash update, but a dropper for the malicious install,” reports ZDNet.

Once a device is infected, the ransomware encrypts your files, you are directed to a payment page with a countdown timer. 0.05 bitcoin — 248 Euros at the time of writing. If the timer reaches zero before the payment is made, the extortionists promise to hike up the fee.

What makes this ransomware even more worrisome is its ability to spread laterally across networks, meaning it attempts to infect every machine a victim is connected to.

This ransomware has spread mostly in Eastern Europe, but all website managers would be wise to review their security to ensure they are not harbouring the malicious code on their sites and infecting their visitors.

What should you do to avoid this threat?

1. Think twice before using any online services that require Adobe Flash Player. Adobe has promise to kill its Flash Player in 2020, but users would be wise disable or uninstall it now.  
2. If you choose not to disable or delete Flash permanently, consider only turn it on when it is required. Remember to turn it off once you’re done too.
3. Ensure that your version of Adobe Flash is up to date. Set up automatic updates to come directly from Adobe. Never accept update from third parties, no matter how legitimate they look (or claim to be).
4. Backup your files regularly, and check that your keep multiple versions of your backup.
5. Test your backups regularly to make sure you can properly restore your files without any issues.
6. Consider using our GFI WebMonitor, which scans downloads in real-time using up to three different antivirus engines to ensure malware-free downloads. Try it for free right now

Finally, security experts advise strongly that ransomware victims do not pay these malicious actors. Not only does it only encourage them to do this more, but there is no guarantee that they will release your files once they have received your payment.