On October 24th Kaspersky researchers noticed notifications of mass attacks with ransomware dubbed Bad Rabbit. The ransomware has been targeting companies and users, mostly in Russia but there have also been reports of victims in Ukraine. They have also confirmed that Bad Rabbit does in fact use an NSA-linked exploit to spread.
Once Bad Rabbit infects a machine, the ransomware looks for specific file types and encrypts them. When the device boots, a ransom screen will appear to prevent the victim from accessing the operating system.
Kaspersky researchers have noticed that Bad Rabbit ransomware does not remove shadow copies after encrypting the victim’s files. Which means that if the shadow copies feature had been enabled before the infection and if the complete disk encryption did not happen for any reason, then the victim can recover and restore the original versions of the encrypted files.
Kaspersky Lab corporate customers are also advised to:
– make sure that all protection mechanisms are activated as recommended; and that KSN and System Watcher components (which are enabled by default) are not disabled.
– update the antivirus databases immediately.
