A ramsoware attack in circulation in Eastern European countries, such as Russia and Ukraine, with what appears to be a variant of Petya, an attack that occurred in June, was detected this week: the Bad Rabbit (identified as RANSOM_BADRABBIT.A).
According to Kaspersky, a Russian antivirus manufacturer, this attack does not use exploits. This is what they call a drive-by attack: the victims download a fake Adobe Flash Player installer from infected websites and manually launch the .exe file, infecting their PCs. It is worth noting that this is an attack that works on Windows computers.
The analysis carried out by Trend Micro confirms this information. Bad Rabbit spreads via attacks that lead to a fake Flash installer "install_flash_player.exe". “The compromised sites are injected with a script that contains a contaminated URL (hxxp: // 1dnscontrol [.] Com / flash_install), which is inaccessible until the time of publication. We observed some compromised sites from Denmark, Ireland, Turkey and Russia, which featured the fake Flash installer, ”reports Trend Micro on its blog.
Once the fake installer is clicked, it will release the encrypted file infpub.dat using the process rundll32.exe, along with the file decryptor dispci.exe. As part of his routine, Bad Rabbit uses a trio of files referencing the series Game of Thrones, starting with rhaegal.job, responsible for running the decryptor file, as well as a second working file, drogon.job, which is responsible for shutting down the victim's machine. The ransomware will then proceed to encrypt files on the system and display the ransom note.
To avoid the problem, if you go to a website that asks you to update Flash to watch a video or have access to some content, don't do it via pop-ups from the website itself. You can find out if you are using the latest version on Adobe's own website and obtain a safe and original Flash download if you need to use it. Also, update your antivirus versions.
Sources: Kapersky Lab, Trend Micro and Tech Everything
EN 
PT 
