Wednesday, October 25, 2017

Comparing EternalPetya and BadRabbit


I've created a table comparing the EternalPetya (ExPetr, NotPetya, etc.) outbreak from June, and the BadRabbit ransomware outbreak from yesterday (2017-10-24).

I have decided to not include WannaCry (WanaCrypt0r), as they are not related, while EternalPetya and BadRabbit do seem very closely related, or even developed by (a part of) the same people.

Use freely, as long as you include a link to the original source, which is this blog post.

Comparison table (click to enlarge)



Download the table / comparison sheet

Additionally, you may find this image as a handy spreadsheet (which you can also download in several formats) on Google Docs here:
EternalPetya_BadRabbit_Comparison

Note: this table or sheet will be updated continuously.


Purpose of BadRabbit?

Again, this makes you wonder about the actual purpose of ransomware, which you can read more about here: The purpose of ransomware

For BadRabbit in particular, it may be deployed as a cover-up or smokescreen, or for both disruption and extortion.


Prevention 

As for any prevention advise, have a look at the following page I've set up:
Ransomware prevention


Disinfection and decryption

Unfortunately, decryption is likely not possible without the cybercriminal's private key.

You may be able to restore the MBR, or your files, if you catch the ransomware in the act, and shutdown the machine at that point. Reboot in safe mode and copy over or back-up your files.

Then, Restore the MBR, and reinstall Windows.

You may also try to restore the MBR first, and consequently attempt to restore files using Shadow Volume Copies. For example, a tool such as Shadow Explorer can be of assistance, or read the tutorial here.

If that doesn't work either, you may try using a data recovery program such as PhotoRec or Recuva


Any questions, comments or feedback, please do let me know in the comments section below, or send me a message on Twitter. See also my About me page for other contact details.



No comments:

Post a Comment