Victims were redirected to a payment

[relemedf5w023]

2. This is clearly ransomware . Organizations unfortunate enough to fall victim to the attack quickly realized what had happened to them, as the malware made no secret of its purpose - ransom demands were displayed on the screens, stating that the user's files were "no longer accessible" and "no one can recover them without our decryption service."

page on the Tor network, which featured a countdown timer. If paid in the first 40 or so hours, the ransom payment would be 0.05 bitcoin, or about $285, to decrypt their files. If the ransom was not paid before the countdown reached zero, the payment would increase and users would have to spend more money.

The encryption engine is DiskCryptor, a legal open-source poland whatsapp data used for full logical disk encryption. Keys are generated using CryptGenRandom and then protected by a hard-coded RSA 2048 public key.

3. The malware is based on Petya, in the NotPetya version . If the ransom demand looks familiar, it’s because it’s almost identical to the image on the screen of victims of the Petya attack in June. And the similarities aren’t just cosmetic — Bad Rabbit and Petya also share a number of internal elements.

An analysis by Crowdstrike researchers found that the DLLs for Bad Rabbit and NotPetya contain 67% of the same code, confirming that both ransomware variants are closely related and may even be the work of the same attacker.

4. It spreads via a fake Flash update on compromised websites. Bad Rabbit's primary method of distribution is via tricked downloads from compromised websites. No exploits are used, and instead visitors to compromised sites (some of which have been infected since June) are told that they need to install a Flash update. Of course, this is not a Flash update at all, but a dropper for installing the malware.

The infected websites - most of them located in Russia, Bulgaria and Turkey - are compromised via JavaScript embedded in the HTML body or in one of their .js files.