Bad Rabbit: New Ransomware Attack Rapidly Spreading Across the World


A new widespread ransomware attack is spreading like wildfire around Europe and has already affected over 200 major organisations, primarily in Russia, Ukraine, Turkey and Germany, in the past few hours.


Dubbed "Bad Rabbit," reportedly a new Petya-like targeted ransomware attack against corporate networks, demanding 0.05 bitcoin (~ $285) as ransom from victims to unlock their systems.

According to an initial analysis provided by Kaspersky, the ransomware was distributed via drive-by download attacks, using fake Adobe Flash players’ installer to lure victims' in to install malware unwittingly.

Bad Rabbit ransomware uses DiskCryptor, an open source full drive encryption software, to encrypt files on infected computers. 


The ransom note, shown above, asks victims to log into a Tor onion website to make the payment, which displays a countdown of 40 hours before the price of decryption goes up.

The affected organisations include Russian news agencies Interfax and Fontanka, payment systems on the Kiev Metro, Odessa International Airport and the Ministry of Infrastructure of Ukraine.

Researchers are still analysing Bad Rabbit ransomware to check if there is a way to decrypt computers without paying ransomware and how to stop it from spreading further.

Most ransomware spread through phishing emails, malicious adverts on websites, and third-party apps and programs.

So, you should always exercise caution when opening uninvited documents sent over an email and clicking on links inside those documents unless verifying the source to safeguard against such ransomware infection.

Also, never download any app from third-party sources, and read reviews even before installing apps from official stores.

To always have a tight grip on your valuable data, keep a good backup routine in place that makes their copies to an external storage device that isn't always connected to your PC.

Make sure that you run a good and effective anti-virus security suite on your system, and keep it up-to-date. 

  

Emotet is a banking Trojan first detected by Trend Micro in 2014. The malware is used to steal bank account details by intercepting network traffic, and is still actively being developed with different function modules.

In order to be infected, four user interactions are required:

- Malicious email is received.
- Attached Word document is opened.
- Enabling the macro (Enable Editing as most of you know) allows malicious activity spawned through PowerShell.
- Emotet Trojan is installed to victim machine


The Word document uses a well-known social engineering trick to entice users to install the malware. The document claims it has been “protected” and requests that the user activate macros in order to see its contents.

Once a foothold is established, the Emotet malware turns each infected machine into a bot that is then used to target and infect new victims.

Since its first version, Emotet has continued to evolve into a modular Trojan horse to take advantage of several evasions, persistence, and spreading techniques. It also downloads additional malware such as Dridex or TrickBot to harvest banking and other credentials.

This method of social engineering via malicious spam has become the norm this year, with a major increase in malicious spam malware distribution and a drop in exploit kit infections. You can expect that we will see continued use of this distribution method and its associated tricks from multiple malware families. 




Clicker Trojans attempt to generate revenue by continually making website connections behind the scenes, without the victim’s knowledge. A new family we’re seeing is Android/Trojan.Clicker.hyj. This Trojan is capable of click fraud, as well as spamming a victim’s contact list as a means to infect additional users.

These apps have interesting package names like com.java.mail and org.mac.word that are likely used to throw off victims and researchers by making them appear legitimate and trustworthy.

Android/Trojan.Clicker.hyj is a heavily obfuscated app that is capable of a variety of actions due to an included set of functions packaged within the app. Stored within that package are multiple JavaScript files used to carry out actions when a URL is encountered, such as finding the buttons to click on a website, and then actually clicking the button to facilitate an action. 


Along with click fraud, this threat is also capable of accessing the victim’s contact list and spamming those entries with messages to sign up for a paid video library subscription. 


As with most malware, the end goal for Android/Trojan.Clicker.hyj is to make money. It has two methods of generating revenue—fake site visits and paid subscription services. It also helps that the authors have a high number of apps being distributed, which lines their pockets with a steady income stream.

This threat can be found in alternative markets and luckily not in Google Play. We suggest sticking to trusted sources for your favourite and new apps. 


Please do not hesitate to contact The Computer Guyz at our Cape Town or Centurion branches and we will advise and assist wherever we possibly can. Keep in mind that there is no concrete way to prevent these threats, but we make every effort to ensure our clients are protected. Give us a call on 087 001 0511/2 or email contact@tcgcape.co.za 

Comments

Popular Posts