A fake Adobe update that could become the new ransomware

It's called BadRabbit and experts detect many similarities with NotPetya, the epidemic that attacked hundreds of organizations last June, which was more dangerous and sophisticated than the already popular WannaCry, although it uses the same vulnerability.

In late October, the Russian news outlet Interfax reported that its servers were inoperable due to a cyberattack. A few hours later, after journalists were forced to publish the news on Facebook, the Russian cybersecurity firm Group-IB shared a screenshot of a new ransomware in action called BadRabbit and confirmed that there were at least three other media outlets that were also victims of this attack.

BadRabbit aims to demand a ransom in exchange for recovering the data encrypted by the malware. It uses the same strategy as other well-known large-scale cyberattacks such as WannaCry and NotPetya.

BadRabbit also encrypts files and demands a ransom to be paid into a Bitcoin wallet, supposedly controlled by the cybercriminals. However, unlike NotPetya, this new cyberattack does allow for file recovery because each victim is offered a different Bitcoin wallet, making it more difficult to trace.

The number of infections caused by BadRabbit is lower than that caused by WannaCry or NotPetya, but on the other hand, its victims are top-level targets: airports, Ukrainian state institutions or metro stations, and Russian media outlets, etc.

The ransomware spread through simple web downloads rather than a mass-propagated attack seeking vulnerable users and slipped onto computers, disguised as a routine Adobe Flash Player update, through Russian news websites.

Once installed on the user's computer, the ransomware seeks to spread through the Windows network protocol (SMB), also using a tool capable of changing the privileges of the victim's computer within the local network and another to extract passwords from other computers in plain text.