Network and endpoint security leader Sophos has warned against a new ransomware strain known as BadRabbit targeting consumers and businesses. BadRabbit is among the strains of ransomware that users especially in Russia and Ukraine, have experienced for the past few months.
BadRabbit appears to be automatically downloaded when users visit legitimate websites, but as it doesn’t use any exploits as with previous ransomware, it relies on the user to run the program manually. It poses as an Adobe Flash installer. When the program is run, it displays a similar message to other ransomware and tells users to send just under $300 to a Bitcoin account.
“It was only a matter of time before someone took the ideas from WannaCry and NotPetya and ran with them for another go at unsuspecting victims. It appears this latest variation, the so-called Bad Rabbit ransomware, is being distributed via a fake Adobe Flash Player installer file.” Chester Wisniewski, Principal Research Scientist at Sophos says
Initial reports Chester says are primarily from Eastern Europe, especially focused on Russia and Ukraine.
”What makes this malware more dangerous than your typical ransomware being distributed in a similar manner is its ability to spread across an organization as a worm and not just through email attachments or vulnerable web plugins. It is rumored to contain the same password stealing and spreading mechanism as NotPetya, allowing it to traverse an enterprise and cripple it in no time.”, he adds.
SophosLabs say they are working to confirm these details, but have already ensured protection for Sophos customers. At the moment Sophos Anti-Virus customers will detect this variation as Troj/Ransom-ERK. Sophos Sandstorm proactively detected this threat through our machine learning detection as well as Sophos Intercept X blocking this threat through the use of our CryptoGuard technology. Sophos web protection products are also blocking known distribution points.
Sophos is also advising users to keep their software up to date with the latest patches to avid being affected by this ransomware. It is urging them to back up regularly and keep a recent backup copy off-site, and encrypt their backup and also employ Defense-in-depth is your friend as criminals constantly try to outwit security products. Having many layers of protection helps bridge the gap when one is evaded.
Users can also download the free trial of Sophos Intercept X and, for home (non-business) users, register for the free Sophos Home Premium Beta, which prevents ransomware by blocking the unauthorized encryption of files and sectors on your hard disk.”