Is Bad Rabbit the new NotPetya?

A new strain of ransomware is working its way around the globe disguised as a fake Adobe Flash player update delivered as a drive-by download.

Dubbed Bad Rabbit, the malware is based on the destructive NotPetya ransomware that struck earlier this year, according to to Cisco's Talos security researchers. NotPetya inflicted hundreds of millions in damages on companies including TNT Express and Maersk.

However, major portions of the Bad Rabbit code have been rewritten, and the malware doesn't appear to have supply chain attack capability, Talos said.

Analysis by Google's VirusTotal scanning system suggests the malware uses the legitimate Diskcryptor software to encrypt victims' disks.

The ransom to unlock the disks is set to 0.05 Bitcoin, equivalent to A$354.

Bad Rabbit is currently spreading in Russia, Eastern Europe and Turkey.

It can move laterally across networks and systems using a Microsoft Systems Messaging Block (SMB) module with a list of weak login credentials for brute-force guessing, as well as the mimikatz password-stealing tool. 

The malware's dropper, however, requires user interaction; victims need to click on the fake Flash update to start the installation.

Security vendor ESET said Bad Rabbit had been used in an attack on major infrastructure in the Ukraine, including the public transport metro in the capital Kiev. It said it had also identified Bad Rabbit infections in Japan and Bulgaria.

The US Computer Emergency Readiness Team (US CERT) is warning users that it has received multiple reports of Bad Rabbit ransomware infections.

According to security researcher Amit Serper, creating two files on a Windows computer's file system appears to stop Bad Rabbit infections.

They are:

c:\windows\infpub.dat

c:\windows\cscc.dat

With all permissions removed from the files.