write a case study attack on bad rabbit

To revisit this article, visit My Profile, then View saved stories .

• Backchannel
• Newsletters
• WIRED Insider
• WIRED Consulting

Matt Burgess

The Bad Rabbit malware was disguised as a Flash update

Adobe's 2020 deadline for the death of Flash can't arrive soon enough. A previously unseen form of ransomware has spread through eastern Europe.

The new strain of ransomware, dubbed Bad Rabbit, was first spotted on October 24. To date, the systems attacked have mostly been confined to Russia and Ukraine. The ransomware is the third major spread of malware this year: it follows the wider-reaching WannaCry and NotPetya strains of malicious code. Here's what we know about Bad Rabbit so far.

Read more: What is ransomware and how can you avoid it?

The Bad Rabbit ransomware spreads through "drive-by attacks" where insecure websites are compromised. "While the target is visiting a legitimate website, a malware dropper is being downloaded from the threat actor’s infrastructure," according to analysis by Kaspersky Labs .

In this instance, the malware is disguised as an Adobe Flash installer. When the innocent-looking file is opened it starts locking the infected computer. The Flash download has been installed in websites using JavaScript injected into the HTML or Java files of the affected websites. The malware isn't installed automatically, which means it has to be clicked on to work.

If a person does click on the malicious installer – and given the number of Flash updates issued this is highly probable – their computer locks. The ransom note and payment page demands around $280 in Bitcoin and gives a 40-hour deadline for payments to be made. The DiskCryptor software is bing used to encrypt hard-drives.

Unlike WannaCry and NotPetya, Bad Rabbit hasn't spread widely. The majority of incidents have been recorded in Russia and Ukraine. According to security company Eset, which published a blog post on Bad Rabbit , there are a number of Russian domains (.ru) that have been affected. Kaspersky adds that "all" of the compromised websites it has seen have been news or media outlets.

"Most of the targets are located in Russia," Kaspersky says. "Similar but fewer attacks have also been seen in other countries – Ukraine, Turkey and Germany. Overall, there are almost 200 targets, according to the KSN statistics". These have included the Kiev Metro, Odessa airport. In response the Ukrainian national computer emergency team issued a warning about Bad Rabbit.

So far there haven't been any attacks seen in the UK. The National Cyber Security Centre says it is aware of Bad Rabbit and it is monitoring the situation. It recommends that all security updates for software are installed.

It hasn't been possible to attribute the ransomware to a country or group of hackers. Analysis by security firm Malwarebytes found a number of similarities with NotPetya .

The ransomware exploits the Server Message Block (SMB), which was also seen in NotPetya. Analysis by Malwarebytes concluded that Bad Rabbit is "probably prepared by the same authors" as NotPetya.

While Bad Rabbit doesn't appear to include the Eternal Blue Windows exploit that was stolen from the NSA and used in NotPetya and WannaCry, it does use one of the agency's security flaws. Further research from Cisco's Talos found Bad Rabbit exploited SMB through the NSA's EternalRomance exploit.

"We identified the usage of the EternalRomance exploit to propagate in the network," Talos said in a blog post. "This exploit takes advantage of a vulnerability described in the Microsoft MS17-010 security bulletin."

This article was originally published by WIRED UK

Kate O'Flaherty

Alistair Charlton

Dan Gearino

Scott Gilbertson

Jordan Pearson

Dhruv Mehrotra

Justin Ling

• Choose your language...
• English (English)
• Spanish (Español)
• French (Français)
• German (Deutsch)
• Italian (Italiano)
• Portuguese (Português)
• Japanese (日本語)
• Chinese (中文)
• Korean (한국어)
• Taiwan (繁體中文)
• Organization Size
• Hybrid Cloud
• Zero Trust & Least Privilege
• Developer Security & Operations
• IoT Security Solutions
• Anti-Ransomware

See how use cases come to life through Check Point's customer stories.

• Financial Services
• Federal Government
• State & Local Government
• Telco Service Provider
• Small & Medium Business
• Infinity Platform
• Secure the Network
• Secure the Cloud
• Secure the Workspace
• Security Operations and AI
• Platform Overview
• Infinity Core Services
• Infinity Portal Access Infinity Portal
• Infinity Platform Agreement Predictable cyber-security environments through a platform agreement

AI-Powered Threat Prevention

• Next Generation Firewall (NGFW) Security Gateway Industry-leading AI powered security gateways for modern enterprises
• SD-WAN Software Defined Wide Area networks converging security with networking
• Security Policy and Threat Management Manage firewall and security policy on a unified platform for on-premises and cloud networks
• Operational Technology and Internet of Things (IoT) Autonomous IoT/OT threat prevention with zero-trust profiling, virtual patching and segmentation
• Remote Access VPN Secure, seamless remote access to corporate networks
• Cloud Network Security Industry-leading threat prevention through cloud-native firewalls
• Cloud Native Application Protection Platform Cloud native prevention first security
• Code Security Developer centric code security
• Web Application and API Security Automated application and API security
• Email and Collaboration Security Email security including office & collaboration apps
• Endpoint Security Comprehensive endpoint protection to prevent attacks & data compromise
• Mobile Security Complete protection for the mobile workforce across all mobile devices
• SASE Unifying security with optimized internet and network connectivity
• Managed Prevention & Response Service SOC operations as a service with Infinty MDR/MPR
• Extended Prevention & Response AI-Powered, Cloud-Delivered Security Operations with Infinity XDR/XPR
• Secure Automation and Collaboration Automate response playbooks with Infinity Playblocks
• Unified Security Events and Logs as a Service Infinity Events cloud-based analysis, monitoring and reporting
• AI Powered Teammate Automated Security Admin & Incident Response with AI Copilot
• ThreatCloud AI The Brain behind Check Point’s threat prevention
• Cyber Security Risk Assessment Assess cyber security maturity and plan actionable goals
• Penetration Testing Evaluate security defenses against potential cyber attacks and threats
• Security Controls Gap Analysis (NIST CIST) Analyze technology gaps and plan solutions for improved security and ROI
• Threat Intelligence Analyzed data on cyber threats, aiding proactive security measures
• See All Infinity Global Services >

Learn hackers inside secrets and beat them at their own game

• Security Deployment & Optimization Strategic deployment and refinement of security for optimal protection
• Advanced Technical Account Management Proactive service delivered by highly skilled Cyber Security professionals
• Lifecycle Management Services Effectively maintain the lifecycle of security products and services
• Certifications & Accreditations Comprehensive cyber security training and certification programs
• CISO Training Globally recognized training for Chief Information Security Officers
• Security Awareness Empower employees with cyber security skills for work and home
• Cyber Range Simulated gamification environment for security training
• Mind Check Point Cyber Security and Awareness Programs training hub
• Incident Response Manage and mitigate security incidents with systematic response services
• Managed Detection and Response Prioritize prevention, delivering comprehensive SOC operations as a service
• Digital Forensics Comprehensive investigation and analysis of cyber incidents and attacks
• MXDR with Managed SIEM
• Managed Firewalls
• EDR with Agent Management
• Managed CNAPP
• Managed CSPM
• Support Programs Programs designed to help maximize security technology utilization
• Check Point PRO Proactive monitoring of infrastructure program offerings
• Contact Support
• Infinity Portal
• Infinity Platform Agreement
• Next Generation Firewall (NGFW) Security Gateway
• Security Policy and Threat Management
• Operational Technology and Internet of Things (IoT)
• Remote Access VPN
• Cloud Network Security
• Cloud Native Application Protection Platform
• Code Security
• Web Application and API Security
• Email and Collaboration Security
• Endpoint Security
• Mobile Security
• Managed Prevention & Response Service
• Extended Prevention & Response
• Secure Automation and Collaboration
• Unified Security Events and Logs as a Service
• AI Powered Teammate
• ThreatCloud AI
• Cyber Security Risk Assessment
• Penetration Testing
• Security Controls Gap Analysis (NIST CIST)
• Threat Intelligence
• Security Deployment & Optimization
• Advanced Technical Account Management
• Lifecycle Management Services
• Certifications & Accreditations
• CISO Training
• Security Awareness
• Cyber Range
• Incident Response
• Managed Detection and Response
• Digital Forensics
• Support Programs
• Check Point PRO
• Find a Partner
• Channel Partners
• Technology Partners
• MSSP Partners
• Azure Cloud
• Partner Portal

Check Point is 100% Channel. Grow Your Business with Us!

• Investor Relations
• Resource Center
• Customer Stories
• Events & Webinars
• Check Point Research
• Cyber Talk for Executives
• CheckMates Community

Bad Rabbit: The Full Research Investigation

What is this all about? Earlier this week a new ransomware attack dubbed ‘Bad Rabbit’ broke out and has so far affected The Ukraine, Russia, Turkey and Bulgaria.  Various healthcare, media, software and distribution companies and critical infrastructure, such as the Ukranian train services, Odessa airport and The Ukranian Ministries of Finance and Infrastructure all […]

The post Bad Rabbit: The Full Research Investigation appeared first on Check Point Research .

You may also like

Shifting Attack Landscapes and Sectors in Q1 2024 with a 28% increase in cyber attacks globally

Not So Private After All: How Dating Apps Can Reveal Your Exact Location

Agent Tesla Targeting United States & Australia: Revealing the Attackers’ Identities

Beyond Imagining – How AI is actively used in election campaigns around the world

Threat Brief: Information on Bad Rabbit Ransomware Attacks

• 47,038 people reacted
• 2 min. read

October 24, 2017 at 2:30 PM

Category: Ransomware , Threat Brief , Unit 42

Tags: Bad Rabbit , threat brief

This Unit 42 blog post provides an update on the threat situation surrounding the Bad Rabbit ransomware attacks.

Attack Overview

Bad Rabbit is a ransomware attack that, at the time of this writing, appears to primarily be affecting countries in Eastern Europe. While not spreading as widely as the Petya/NotPetya attacks, reports indicate that where Bad Rabbit has hit, it has caused severe disruption. The Ukrainian CERT has issued an alert on Bad Rabbit.

As detailed below, Bad Rabbit gains initial entry by posing as an Adobe Flash update. Once inside a network it spreads by harvesting credentials with the Mimikatz tool as well as using hard coded credentials.

Bad Rabbit is similar to Petya/NotPetya insofar as it encrypts the entire disk.

We are not aware of any reports of successful recovery after paying the ransom.

Because the initial attack vector is through bogus updates, Bad Rabbit attacks can be prevented by only getting Adobe Flash updates from the Adobe web site.

Reconnaissance

This attack does not appear to be targeted. Therefore, there appears to be little reconnaissance as part of this attack.

Delivery/Exploitation

According to ESET , the initial infection vector for Bad Rabbit is through a fake Adobe Flash update that is offered up from compromised websites. Proofpoint researcher Darien Huss‏ has reported this fake update was hosted at 1dnscontrol[.]com. Reports differ on whether this is delivered through social engineering that convinces the user to install the fake update or if it is delivered silently through unpatched vulnerabilities (i.e. “drive-by” installs).

Lateral Movement

Once inside a network, Bad Rabbit propagates itself to other systems. Reports indicate that it harvests credentials using Mimikatz and Maarten van Dantzig reports it also uses common hardcoded credentials to spread .

Command and Control (C2)

At this time, we have no information on command and control for Bad Rabbit.

Bad Rabbit is not as widespread of an attack as Petya/NotPetya but is causing severe disruptions where it is occurring. It is similar to Petya/NotPetya in terms of the impact of a successful attack. However, it is a different attack with different malware.

We will update this blog with new information as it becomes available.

For information on how Palo Alto Networks products prevent Bad Rabbit, please see our Palo Alto Networks Protections Against Bad Rabbit Ransomware Attacks blog post .

As always if you have any questions, please come to the  Threat & Vulnerability Discussions on our Live Community .

Version Summary

October 24, 2017 2:30 p.m. PT

• Initial Publication

Get updates from Palo Alto Networks!

Sign up to receive the latest news, cyber threat intelligence and research from us

Please enter your email address!

Please mark, I'm not a robot!

By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement .

• Security News
• Cybercrime & Digital Threats

Ransomware Recap: The Short-Lived Spread of Bad Rabbit Ransomware

This ransomware variant can be distributed via hacking through an unprotected RDP configuration, spam email and malicious attachments, fraudulent downloads, exploits, web injections, fake updates, repackaged and infected installers. 

Users and enterprises can adopt  these best practices  to lower or eliminate the risk of ransomware infection.

Trend Micro Ransomware Solutions

Enterprises can benefit from a multi-layered, step-by-step approach in order to best mitigate the risks brought by these threats. Email and web gateway solutions such as  Trend Micro™ Deep Discovery™ Email Inspector  and  InterScan™ Web Security  prevent ransomware from ever reaching end users. At the endpoint level, Trend Micro Smart Protection Suites  deliver several capabilities like high-fidelity machine learning, behavior monitoring and application control, and vulnerability shielding that minimize the impact of this threat.  Trend Micro Deep Discovery Inspector  detects and blocks ransomware on networks, while  Trend Micro Deep Security™  stops ransomware from reaching enterprise servers–whether physical, virtual or in the cloud.  Trend Micro XGen™ security  provides a cross-generational blend of threat defense techniques against a full range of threats for  data centers ,  cloud environments ,  networks , and  endpoints . Smart, optimized, and connected, XGen™ powers Trend Micro’s suite of security solutions: Hybrid Cloud Security, User Protection, and Network Defense.

Like it? Add this infographic to your site: 1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.

Related Posts

• Phobos Emerges as a Formidable Threat in Q1 2024, LockBit Stays in the Top Spot: Ransomware in Q1 2024
• Ransomware Spotlight: LockBit
• Rise in Active RaaS Groups Parallel Growing Victim Counts: Ransomware in 2H 2023
• Calibrating Expansion: 2023 Annual Cybersecurity Report
• Trend Micro Security Predictions for 2024: Critical Scalability

Recent Posts

• Observability Exposed: Exploring Risks in Cloud-Native Metrics
• Ransomware Spotlight: 8Base
• You Can't See Me: Achieving Stealthy Persistence in Azure Machine Learning

We Recommend

• Internet of Things
• Virtualization & Cloud
• Security Technology

• Addressing CAPTCHA-Evading Phishing Threats With Behavior-Based AI Protection
• A Deep Dive into the Packet Reflection Vulnerability Allowing Attackers to Plague Private 5G Networks

• Building Resilience: 2024 Security Predictions for the Cloud
• Enhancing Software Supply-Chain Security: Navigating SLSA Standards and the MITRE ATT&CK Framework

• Post-Quantum Cryptography: Quantum Computing Attacks on Classical Cryptography
• Diving Deep Into Quantum Computing: Computing With Quantum Mechanics

Maximize security. Optimize value.

Protect people, defend data, solutions by industry.

• Support Log-in
• Digital Risk Portal
• Email Fraud Defense
• ET Intelligence
• Proofpoint Essentials
• Sendmail Support Log-in
• English (Americas)
• English (Europe, Middle East, Africa)
• English (Asia-Pacific)

What Is Bad Rabbit?

Table of contents, remediation.

Bad Rabbit is a strain of ransomware that first appeared in 2017 and is a suspected variant of Petya. Like other strains of ransomware, Bad Rabbit virus infections lock up victims’ computers, servers, or files preventing them from regaining access until a ransom—usually in Bitcoin—is paid.

Like other strains of ransomware , Bad Rabbit virus locks up victims’ computers, servers, or files prevents them from regaining access until a ransom—usually in Bitcoin—is paid.

Cybersecurity Education and Training Begins Here

Here’s how your free trial works:.

• Meet with our cybersecurity experts to assess your environment and identify your threat risk exposure
• Within 24 hours and minimal configuration, we’ll deploy our solutions for 30 days
• Experience our technology in action!
• Receive report outlining your security vulnerabilities to help you take immediate action against cybersecurity attacks

Fill out this form to request a meeting with our cybersecurity experts.

Thank you for your submission.

Bad Rabbit first appeared in 2017 and has similarities to ransomware strains called WannaCry and Petya .

Disguised as an Adobe Flash installer, a Bad Rabbit attack spreads through drive-by downloads on compromised websites, meaning victims could be exposed to the virus simply by visiting a malicious or compromised website. The Bad Rabbit malware is embedded into websites using JavaScript injected into the site’s HTML code.

If a person clicks on the malicious installer, BadRabbit ransomware encrypts files and presents users with an austere black-and-red message. It reads in part: “If you see this text, your files are no longer accessible. You might have been looking for a way to recover your files. Don’t waste your time.”

The text demands around $280 in Bitcoin and gives a 40-hour deadline for payments to be made. [1] Victims reported that making the payment did unlock their files, though this isn’t always the case in other ransomware attacks.

Ransomware such as Bad Rabbit attacks a network in one of two ways: as an encryptor (as is the case with Bad Rabbit malware) or as a screen locker. Encryptors lock data on a targeted system, making the content inaccessible without a decryption key. A screen locker simply blocks access to the system via a lock screen that simply claims that the system is encrypted. [2]

In either case, preventing Bad Rabbit ransomware is a far better option than remediating it.

Once you realize that you are the victim of Bad Rabbit ransomware attack, follow these steps to respond: [3]

• Contact law enforcement.
• Disconnect from any computers, servers or other equipment your network.
• Determine the scope of the problem based on your knowledge of threat intelligence.
• Orchestrate a response. Some types of ransomware, such as screen lockers, are easier to remediate. Others may require completely re-imaging (wiping) systems and recovering files from backup.
• Look for free ransomware decryption tools—but don’t rely on them. They don’t work for every type of ransomware and may not help you get your files back.
• Restore captive files from your backup systems.

[1] Lena Fuks (Security Boulevard). “ 10 Ransomware Attacks You Should Know About in 2019 ” [2] Proofpoint. “ Ransomware is Big Business ” [3] Proofpoint. “ The Ransomware Survival Guide ”

Related Resources

Tips for developing your ransomware defense strategy, dridex actors get in the ransomware game with "locky", solution brief, how proofpoint defends against ransomware, microsoft misses ransomware attacks, subscribe to the proofpoint blog, ready to give proofpoint a try.

Start with a free Proofpoint trial.

What You Need to Know About Bad Rabbit Ransomware

You know what they say: another day, another cyberattack. Okay, maybe "they" don't say that. But they should!

Cyerattacks are everywhere and new exploits are being developed all the time. Take Bad Rabbit for instance. This form of ransomware is rather new, but it's already making a big splash as it victimizes Russian and Eastern European businesses.

Below, CyberPolicy examines Bad Rabbit, the trends in ransomware, and what businesses can do to defend themselves. Remember, even if you are snagged by ransomware or another form of attack, cyber coverage insurance can be your safety net.

The Basics of Bad Rabbit Bad Rabbit first burst onto the scene on Tuesday, October 24th. The Russian news agency Interfax Ltd. appears to have been one of the first victims. As of writing this article, the website is still disabled due to "hacker attack." From there, organizations across Russia, Ukraine, Poland, Germany, and Turkey have fallen victim to the infection. According to ZDNet , there are almost 200 infected targets.

Now clearly this isn't on the same scale as the WannaCry epidemic that infected more than 300,000 machines in 150 countries. However, that does not mean that Bad Rabbit doesn't share some similarities with other ransomware attacks. It does. Specifically, Bad Rabbit shares 67 percent of the same code used in the Petya/Not Petya attacks in June. For this reason, some experts believe that these scams might be the work of the same threat actor(s).

Even more bizarre is that the code contains various references to the hit HBO show, Game of Thrones.

How Does It Spread?

Like many forms of malicious software, Bad Rabbit has been propagating itself through drive-by downloads on hacked websites. Typically, the web user will see a pop-up screen prompting them to download the latest Flash player update "“ which is always a red flag!

These kinds of scams are made possible through JavaScript injection, in which a hacker conceals malicious code within a third-party website. Once the package has been downloaded, it will lock the user's device or spread itself throughout the network.

Infected devices will show a red-and-black warning message and a timer, telling the user that their files have been encrypted. The only way to release these files is to pay an extortion fee of 0.05 bitcoin; the equivalent of $285. If the timer runs out, the price goes up.

ZDNet writes that "at this stage, it's unknown if it's possible to decrypt files locked by Bad Rabbit without giving in and paying the ransom." Although the site warns that paying the fee might encourage ransomware growth as hackers see how lucrative it is.

Kaspersky Lab says users can prevent infection by locating the malware file (within 'c: \ windows \ infpub.dat, C: \ Windows \ cscc.dat.' of their computers) and blocking its execution.

Whether Bad Rabbit will spread to U.S. businesses and organizations remains to be seen. But it's best to prepare yourself for the worst. By investing in cyber coverage insurance, you can be certain that your organization is protected no matter what. Visit CyberPolicy for your free quote today!

Insurance shopping simplified

• General Liability
• Business Owners Policy
• Professional Liability
• Workers Compensation
• Directors & Officers
• Commercial Auto
• Other Coverages
• Insurance Checkup
• Existing Customers
• Learning Center

cyber Security

• Security Tools
• Cyber Glossary

cyber security

• Photographer
• Personal Trainer
• Home Inspector
• Tax Preparer
• Event Planner
• Business Consultant
• Real Estate Agent
• Find Your Industry
• Legal Notices
• Personalized Online Ad
• Terms & Conditions Licenses Trademarks

Bad Rabbit ransomware spread using leaked NSA EternalRomance exploit, researchers confirm

Bad Rabbit ransomware spread using the help of a leaked NSA exploit exposed by the Shadow Brokers hacking group, security researchers have confirmed.

Tech Pro Research

• IT leader’s guide to the threat of fileless malware
• Incident response policy
• IT leader’s guide to cyberattack recovery
• Auditing and logging policy
• Cybersecurity in 2018: A roundup of predictions

When the ransomware first infected organisations in Russia and Ukraine on Tuesday, it was initially suggested that it was using EternalBlue -- the leaked exploit which helped the spread of WannaCry -- but this was quickly found to be not the case.

However, researchers at Cisco Talos have now identified that Bad Rabbit did indeed use an SMB vulnerability to propagate through networks -- known as EternalRomance. Researchers at other security firms including Symantec and Kaspersky Lab have also confirmed the use of EternalRomance.

The vulnerability was also used to distribute NotPetya in June , although researchers note that while this version of EternalRomance is very similar to the publicly available Python implementation, there are slight differences.

For Bad Rabbit, the EternalBlue implementation is used to overwrite a kernel's session security context. That allows it to launch remote services and try to find other nearby systems listening for SMB connections and then spread the ransomware. Meanwhile, EternalRomance was used by NotPetya to install the DoublePulsar backdoor.

In both instances, the actions are possible due to how EternalRomance allows the attacker to read and write arbitrary data into the kernel memory space to spread ransomware.

As a result of similarities in the code and use of the SMB exploit, Cisco Talos researchers have "high confidence" that there's a link between NotPetya and Bad Rabbit and even suggest that the authors of the two ransomware variants could be the same.

Bad Rabbit ransomware was named after the Tor payment page demanding bitcoin.

"The evasion techniques present in the modifications to the DoublePulsar backdoor in Nyetya and EternalRomance in Bad Rabbit demonstrate similar, advanced levels of understanding of the exploits involved, the network detections in place at the time of deployment, and general Windows kernel exploitation," said Nick Biasini, threat researcher at Talos Outreach

See also: Bad Rabbit: Ten things you need to know about the latest ransomware outbreak

Along with EternalBlue, the EternalRomance vulnerability was patched by Microsoft back in March -- suggesting that those infected by this ransomware outbreak were still yet to apply the critical update, despite the impact of previous high-profile incidents.

• The best VPN services of 2024: Expert tested
• How to turn on Private DNS Mode on Android (and why you should)
• The best antivirus software and apps you can buy
• The best VPN routers you can buy
• How to find and remove spyware from your phone

Named Bad Rabbit after the Tor payment page for collecting ransoms, the ransomware hit targets including Russian media outlets, the Kiev metro system, and the Odessa International Airport in Ukraine.

A number of organisations in Germany, South Korea, and Poland were also reported to have fallen victim, but the total number of infections was far lower than was seen with WannaCry and Petya, with under 200 organisations affected.

It's not clear how many of those affected paid, but victims are directed to a Tor payment page which demands a payment of 0.05 bitcoin (around $285) for decrypting the files. They're threatened with the price rising if they don't pay within just under 48 hours, although a number of security vendors have now said the infrastructure used to collect payments is now down.

Bad Rabbit spreads via drive-by downloads on hacked websites. Rather than being delivered by exploits, visitors to compromised sites -- many of which had been under the control of hackers for months -- were told to install a Flash update.

This malicious download subsequently installed the ransomware to what appeared to be specially selected targets, although it's unknown what the reasoning behind choosing the victims was.

What is obvious is how using exploits like EternalRomance is becoming an increasingly common method of spreading ransomware.

"This is quickly becoming the new normal for the threat landscape. Threats spreading quickly, for a short window, to inflict maximum damage," said Biasini.

Related coverage

Bad Rabbit: Ten things you need to know about the latest ransomware outbreak It's the third major outbreak of the year - here's what we know so far. Bad Rabbit ransomware: A new variant of Petya is spreading, warn researchers Updated: Organisations in Russia, Ukraine and other countries have fallen victim to what is thought to be a new variant of ransomware.

READ MORE ON CYBERCRIME

• Bad Rabbit ransomware attack bites Europe [CNET]
• WannaCry ransomware: Hospitals were warned to patch system to protect against cyber-attack - but didn't
• After WannaCry, ransomware will get worse before it gets better
• 6 tips to avoid ransomware after Petya and WannaCry [TechRepublic]
• Your failure to apply critical cybersecurity updates is putting your company at risk from the next WannaCry or Petya

91% of ransomware victims paid at least one ransom in the past year, survey finds

The best travel vpns: expert tested, the best vpn for streaming: expert tested.

• My Products / Subscriptions
• Solutions for:

TARGETED SECURITY SOLUTIONS

Bad Rabbit: A new ransomware epidemic is on the rise

POST IS BEING UPDATED LIVE. The world is being hit with yet another ransomware epidemic. It’s called Bad Rabbit, and here’s what we know about it so far.

Alex Perekalin

October 26, 2017

The post is being updated as our experts find new details on the malware.

We’ve already seen two large-scale ransomware attacks this year — we’re talking about the infamous WannaCr y and ExPetr (also known as Petya and NotPetya). It seems that a third attack is on the rise: The new malware is called Bad Rabbit — at least, that’s the name indicated by the darknet website linked in the ransom note.

What is known at the moment is that Bad Rabbit ransomware has infected several big Russian media outlets, with Interfax news agency and Fontanka.ru among the confirmed victims of the malware. Odessa International Airport has reported on a cyberattack on its information system, though whether it’s the same attack is not yet clear.

The criminals behind the Bad Rabbit attack are demanding 0.05 bitcoin as ransom — that’s roughly $280 at the current exchange rate.

According to our findings, it is a drive-by attack: Victims download a fake Adobe Flash installer from infected websites and manually launch the .exe file, thus infecting themselves. Our researchers have detected a number of compromised websites, all news or media sites.

According to our data, most of the victims of these attacks are located in Russia. We have also seen similar but fewer attacks in Ukraine, Turkey, and Germany. This ransomware has infected devices through a number of hacked Russian media websites. Based on our investigation, this is a targeted attack against corporate networks, using methods similar to those used in the ExPetr attack.

Our experts have collected enough evidence to link the Bad Rabbit attack with the ExPetr attack , which happened in June of this year. According to their analysis, some of the code used in Bad Rabbit was previously spotted in ExPetr.

Other similarities include the same list of domains used for the drive-by attack (some of those domains were hacked back in June but not used) as well as the same techniques used for spreading the malware throughout corporate networks — both attacks used Windows Management Instrumentation Command-line (WMIC) for that purpose. However, there is a difference: Unlike ExPetr, Bad Rabbit doesn’t use the EternalBlue exploit for the infection. But it uses the EternalRomance exploit to move laterally on the local network.

Our experts think the same threat actor is behind both attacks and that this threat actor was preparing the Bad Rabbit attack by July 2017, or even earlier. However, unlike ExPetr, Bad Rabbit seems to be not a wiper, but just ransomware: It encrypts files of some types and installs a modified bootloader, thus preventing the PC from booting normally. Because it is not a wiper, the malefactors behind it potentially have the ability to decrypt the password, which, in turn, is needed to decrypt files and allow the computer to boot the operating system.

Unfortunately, our experts say that there is no way to get the encrypted files back without knowing the encryption key. However, if for some reason Bad Rabbit didn’t encrypt the whole disk, it is possible to retrieve the files from the shadow copies (if the shadow copies were enabled prior to the infection). We continue our investigation. In the meantime, you can find more technical details in this post on Securelist .

Kaspersky Lab’s products detect the attack with the following verdicts:

• Trojan-Ransom.Win32.Gen.ftl
• Trojan-Ransom.Win32.BadRabbit
• DangerousObject.Multi.Generic
• PDM:Trojan.Win32.Generic
• Intrusion.Win.CVE-2017-0147.sa.leak

To avoid becoming a victim of Bad Rabbit:

Users of Kaspersky Lab products:

• Make sure you have System Watcher and Kaspersky Security Network running. If not, it’s essential to turn these features on.

Other users:

• Block the execution of files c:windowsinfpub.dat and c:Windowscscc.dat.
• Disable WMI service (if it’s possible in your environment) to prevent the malware from spreading over your network.

Tips for everyone:

• Back up your data.
• Don’t pay the ransom.

Are dating apps safe?

We are used to entrusting dating apps with our innermost secrets. How carefully do they treat this information?

Advertisers sharing data about you with… intelligence agencies

Advertising firms’ extensive collection of personal data is becoming of great use to intelligence agencies. So how to guard against mass surveillance?

Watch the (verified) birdie, or new ways to recognize fakes

How to tell a real photo or video from a fake, and trace its provenance.

Switching to Kaspersky: a step-by-step migration guide

How to switch the cyber-protection on your computer or smartphone to the most awarded security solution from Kaspersky.

Is it the boss – or is it a fraudster? Scams disguised as urgent orders from top brass

Got a message from your boss or coworker asking you to “fix a problem” in an unexpected way? Beware of scammers! How to protect yourself and your company against a potential attack.

Sign up to receive our headlines in your inbox

Home products.

• Kaspersky Standard
• Kaspersky Plus
• Kaspersky Premium
• All Products

Small Business Products

• Kaspersky Small Office Security
• Kaspersky Endpoint Security Cloud

Medium Business Products

• Kaspersky Endpoint Security for Business Select
• Kaspersky Endpoint Security for Business Advanced

Enterprise Solutions

• Cybersecurity Services
• Threat Management and Defense
• Endpoint Security
• Hybrid Cloud Security
• Cybersecurity Training
• Threat Intelligence
• All Solutions
• México
• United States
• South Africa
• Middle East
• الشرق الأوسط
• Western Europe
• Deutschland & Schweiz
• France & Suisse
• Italia & Svizzera
• Nederland & België
• United Kingdom
• Eastern Europe
• Türkiye
• Россия (Russia)
• Asia & Pacific
• For all other countries

• 1-855-868-3733
• Cybersecurity Blog
• Singularity Platform Welcome to Integrated Enterprise Security
• Singularity XDR Native & Open Protection, Detection, and Response
• Singularity Data Lake AI-Powered, Unified Data Lake
• How It Works The Singularity XDR Difference
• Singularity Marketplace One-Click Integrations to Unlock the Power of XDR
• Endpoint Autonomous Prevention, Detection, and Response
• Cloud Autonomous Runtime Protection for Workloads
• Identity Autonomous Identity & Credential Protection
• Singularity Complete The Standard for Enterprise Cybersecurity
• Singularity Control Organization-Wide Protection and Control
• Singularity Core Cloud-Native NGAV
• Package Comparison Our Platform at a Glance
• Singularity Cloud Workload Security Real-Time Cloud Workload Protection Platform
• Purple AI Accelerate SecOps with Generative AI
• Singularity Mobile Mobile Threat Defense
• Singularity Threat Intelligence Comprehensive Adversary Intelligence
• Singularity Cloud Data Security AI-Powered Threat Detection
• Singularity RemoteOps Forensics Orchestrate Forensics at Scale
• Singularity Identity Detection & Response Identity Threat Detection and Response
• Singularity Identity Posture Management Active Directory Attack Surface Reduction
• Singularity Vulnerability Management Rogue Asset Discovery
• Singularity Hologram Deception Protection
• Why SentinelOne? Cybersecurity Built for What’s Next
• Our Customers Trusted by the World’s Leading Enterprises
• Industry Recognition Tested and Proven by the Experts
• About Us The Industry Leader in Autonomous Cybersecurity
• CrowdStrike Cyber Dependent on a Crowd
• McAfee Pale Performance, More Maintenance
• Microsoft Platform Coverage That Compromises
• Trend Micro The Risk of DevOps Disruption
• Palo Alto Networks Hard to Deploy, Harder to Manage
• Carbon Black Adapt Only as Quickly as Your Block Lists
• Symantec Security Limited to Signatures
• Federal Government
• Higher Education
• K-12 Education
• Manufacturing
• PinnacleOne Strategic Advisory Group
• WatchTower Threat Hunting Hunting for Emerging Threat Campaigns
• Vigilance Respond MDR Dedicated SOC Expertise & Analysis
• Vigilance Respond Pro MDR + DFIR 24x7 MDR with Full-Scale Investigation & Response
• Technical Account Management Customer Success with Personalized Service
• SentinelOne GO Guided Onboarding & Deployment Advisory
• SentinelOne University Live and On-Demand Training
• Support Services Tiered Support Options for Every Organization
• SentinelOne Community Community Login
• MSSP Partners Succeed Faster with SentinelOne
• Singularity Marketplace Extend the Power of S1 Technology
• Cyber Risk Partners Enlist Pro Response and Advisory Teams
• Technology Alliances Integrated, Enterprise-Scale Solutions
• SentinelOne for AWS Hosted in AWS Regions Around the World
• Channel Partners Deliver the Right Solutions, Together
• Case Studies
• Data Sheets
• White Papers
• Feature Spotlight
• For CISO/CIO
• From the Front Lines
• SentinelOne Blog
• SentinelLABS
• Ransomware Anthology
• Cybersecurity 101
• About SentinelOne The Industry Leader in Cybersecurity
• Investor Relations Financial Information & Events
• SentinelLABS Threat Research for the Modern Threat Hunter
• Careers The Latest Job Opportunities
• Press & News Company Announcements
• Cybersecurity Blog The Latest Cybersecurity Threats, News, & More
• F1 Racing SentinelOne & Aston Martin F1 Team
• FAQ Get Answers to Our Most Frequently Asked Questions
• DataSet The Live Data Platform
• S Foundation Securing a Safer Future for All
• S Ventures Investing in the Next Generation of Security and Data

New Bad Rabbit Ransomware Attack

It’s been almost exactly four months since the last Petya ransomware outbreak . On October 24th, a new variant of Petya called Bad Rabbit was discovered attacking consumers and organizations, mostly in Russia. Below is a copy of the ransom note, which is similar to Petya’s ransom note :

SentinelOne customers are protected from this threat. Below is a video showing the detection:

The malware is distributed by drive-by downloads. It’s icon appears is an Adobe Flash installer.

Once it’s running, it looks for and encrypts files with the following file extensions:

.3ds .7z .accdb .ai .asm .asp .aspx .avhd .back .bak .bmp .brw .c .cab .cc .cer .cfg .conf .cpp .crt .cs .ctl .cxx .dbf .der .dib .disk .djvu .doc .docx .dwg .eml .fdb .gz .h .hdd .hpp .hxx .iso .java .jfif .jpe .jpeg .jpg .js .kdbx .key .mail .mdb .msg .nrg .odc .odf .odg .odi .odm .odp .ods .odt .ora .ost .ova .ovf .p12 .p7b .p7c .pdf .pem .pfx .php .pmf .png .ppt .pptx .ps1 .pst .pvi .py .pyc .pyw .qcow .qcow2 .rar .rb .rtf .scm .sln .sql .tar .tib .tif .tiff .vb .vbox .vbs .vcb .vdi .vfd .vhd .vhdx .vmc .vmdk .vmsd .vmtm .vmx .vsdx .vsv .work .xls .xlsx .xml .xvd .zip

Additionally, Bad Rabbit tries to spread itself. It uses Mimikatz to dump credentials and uses them along with hard coded. Then it tries to spread using the following protocols:

The hard coded usernames are:

Admin, Administrator, alex, asus, backup, boss, buh, ftp, ftpadmin, ftpuser, Guest, manager, nas, nasadmin, nasuser, netguest, operator, other user, rdp, rdpadmin, rdpuser, root,superuser, support, Test, User, User1, user-1, work

The hard coded passwords are:

111111, 123, 123321, 1234, 12345, 123456, 1234567, 12345678,123456789, 1234567890, 321, 55555, 777, 77777, Admin, Admin123, admin123Test123, Administrator, administrator, Administrator123, administrator123, adminTest, god, Guest, guest, Guest123, guest123, love, password, qwe, qwe123, qwe321, qwer, qwert, qwerty, qwerty123, root, secret, sex, test, test123, uiop, User, user, User132, user123, zxc, zxc123, zxc321,zxcv

Lateral Movement Detection

The video below shows us detecting the malware as it attempts to spread from an unprotected, infected host (right, red background) to a protected machine (left, black background).

SentinelOne also constructs an attack storyline for the lateral movement for incident response reports and forensics:

Sample Hashes

• Primary SHA256: 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
• Payload SHA256: 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93

Like this article? Follow us on LinkedIn , Twitter , YouTube or Facebook to see the content we post.

Read more about Cyber Security

• Weekly Recap of Cybersecurity News 10/27
• Geacon Brings Cobalt Strike Capabilities to macOS Threat Actors
• Enterprise Security Essentials | Top 12 Most Routinely Exploited Vulnerabilities
• DPRK Crypto Theft | macOS RustBucket Droppers Pivot to Deliver KandyKorn Payloads
• Threat Actor Interplay | Good Day’s Victim Portals and Their Ties to Cloak
• BlueNoroff | How DPRK’s macOS RustBucket Seeks to Evade Analysis and Detection

Defeat every attack, at every stage of the threat lifecycle with SentinelOne

Book a demo and see the world’s most advanced cybersecurity platform in action.

SentinelLabs

SentinelLabs: Threat Intel & Malware Analysis

We are hunters, reversers, exploit developers, & tinkerers shedding light on the vast world of malware, exploits, APTs, & cybercrime across all platforms.

Wizard Spider and Sandworm

MITRE Engenuity ATT&CK Evaluation Results

SentinelOne leads in the latest Evaluation with 100% prevention. Leading analytic coverage. Leading visibility. Zero detection delays.

• 1-877-775-4562
• Atlas Login
• EN | United States

Management and Automation

Drive efficiency and reduce cost using automated certificate management and signing workflows.

Certificates

Trusted digital certificates to support any and every use case.

Comply with regulatory obligations.

Technology Alliances

Complimentary or PKI-integrated strategic relationships with industry leading technology vendors.

Certificate Management and Automation

Reduce the effort, cost and time associated with managing multiple digital certificates.

• Atlas - Digital Identity Platform
• Managed PKI
• AEG - Certificate Automation Manager
• Atlas Discovery - Certificate Inventory Tool
• Certificate Lifecycle Management
• PKI for DevSecOps
• Post Quantum Computing
• Document Signing

Secure your documents and improve workflows with digital signatures and seals.

• Document Signing Solutions
• Digital Signing Service
• Advanced vs Qualified Signatures
• Qualified Signatures & Seals
• Qualified Signatures & Seals
• Adobe Approved Trust List (AATL) Signatures

Custom CA/ Private PKI

Use a PKI expert to control your chain of trust.

• Dedicated Intermediate CA
• Trusted Root

Website & Server Security (SSL/TLS)

A wide range of SSL assurance levels, options and key support.

• Managed SSL

Access Control & Authentication

Control which users, machines and devices can access corporate network and services.

• User Authentication
• Mobile Device Authentication
• Machine and Server Authentication

Signing Certificates

Digitally sign documents and encrypt sensitive emails.

• Email Security (S/MIME)
• Code Signing Certificates
• EV Code Signing Certificates

FDA Certificates

• Belgian Government Services

Timestamping

Venafi as a service, hashicorp vault, cert-manager for kubernetes.

Adobe Acrobat

• IoT Edge Enroll
• IoT CA Direct
• IoT Device Identity Lifecycle Management
• IoT Device Certificates
• Hosted OCSP
• IoT Developer Program
• IoT Chip to Cloud Integration Blueprint
• AWS IoT Core Integration
• MS Azure IoT Hub Integration

Become a GlobalSign Partner

Our partners, partner programs.

• Service Provider
• Regional Enterprise Partner
• Reseller Partners
• White Papers & eBooks
• Case Studies
• How-to Videos
• Information Center
• API Documentation
• News & Events
• Locations & Contact
• Legal Repository
• Corporate Policies
• Domain Validated (DV)
• Organization Validated (OV)
• Extended Validation (EV)
• Multi-Domain / SANs
• Code Signing
• S/MIME Certificates
• EIDAS Electronic Signatures
• PSD2 Digital Certificates
• AEC Digital Signature
• FDA Certificates (21 CFR Part 11)

Did you know you can automate the management and renewal of every certificate?

GlobalSign Blog

Another Week – Another Ransomware Attack – Time to Kill the “Bad Rabbit”

• Latest Posts
• Certificate Automation
• Trusted Identities
• Certificate Management
• Digital Signatures
• Email Security
• Internet of Things
• Qualified Trust
• Security News

Search Blog

• October 30, 2017

Helping to keep you updated and always vigilant to the latest malware/ransomware and cybersecurity attacks, we are relating reports over the past few days from the BBC and ComputerWeek of a new ransomware. Nicknamed "Bad Rabbit," it has been found spreading in Russia, Ukraine and now the US and elsewhere. Bearing similarities to the WannaCry and Petya outbreaks earlier this year, the “ wascally wabbit ” has affected systems at three Russian websites, an airport in Ukraine and an underground railway in the capital city, Kiev.

Ransomware - Quick Refresher

Ransomware is a type of malware that infects a computer and takes control of either the core operating system using lockout mechanisms or possession of data files by encrypting them. The program then asks the user to make a “ransom” payment to the malicious individual or organization in order to remove the locks and restore the user’s endpoint or files.

As the BBC report states, businesses and their networks are being frozen out. "In some of the companies, the work has been completely paralysed - servers and workstations are encrypted," head of Russian cyber-security firm Group-IB, Ilya Sachkov, told the TASS news agency.

Bad Rabbit encrypts the contents of a computer and asks for a payment - in this case 0.05 bitcoins, or about $280 (£213).

In a later report from the Wall Street Journal , “Bad Rabbit” began spreading to the US, 

… according to Czech antivirus vendor Avast Software s.r.o. … the Department of Homeland Security’s Computer Emergency Readiness Team issued an alert saying it had received “multiple reports” of infections in the US

The ransomware masqueraded as an update to  Adobe Systems  Inc.’s Flash multimedia product, security researchers said, and once downloaded it attempted to spread within victims’ networks.

The attacks “do not utilize any legitimate Flash Player updates nor are they associated with any known Adobe product vulnerabilities”, an Adobe spokeswoman said in an email.

Researcher Kevin Beaumont has  posted a screenshot   on Twitter that shows Bad Rabbit creating tasks in Windows named after the dragons Drogon and Rhaegal in TV series Game of Thrones.

The reports from news outlets (see links below) state the following conclusions and warnings from security expert Allan Liska, senior solutions architect at Recorded Future:

• Bad Rabbit is focused on pure disruption using the Microsoft Windows server message block (SMB) as well as an algorithm similar to one found in the NotPetya code. It relies on local password dumps and a list of common passwords, to attempt to move from one machine to another, trying to spread through the network.
• The Bad Rabbit code relies heavily on command line script and uses a traditional payment portal for the ransom instead of asking victims to send an email.
• Stay vigilant, as we will continue to see massive attacks with economic, employee and public safety ramifications with evolving methods of attack, including evasive methods to hide activity and intent.
• A better understanding of the human points of the attackers (where they go and interact, permissions accessed), and motivational intent (financial gain, revenge, political or hacktivism) is necessary in order to help shape our security strategies.

SentinalOne , an endpoint security provider, stresses the five key steps to dealing with a ransomware attack:

• Alert law officials.  They probably won’t be able to help, but like any ransom activity, they should be informed.
• Isolate the infected machine. It’s important that the system is taken offline, as they essentially own your machine now and can use it to gain access to other systems on the network.
• Don’t pay the ransom.   As with any form of ransom, you are not guaranteed to get your data back, and you’re just encouraging attackers to keep up their lucrative game. In addition, if you pay and actually get your keys once, you may be the target of a repeat (and potentially more costly) ransom attack in the future.
• Remediate. Run endpoint security software to discover and remove the ransomware software. If it cannot detect the threat, wipe your machine.
• Restore. Restore your files with the most recent back-up.

Want to know more about preventing ransomware in the first place? We have some suggestions here .

And just to note, a survey conducted by a Cyber Security Research Center at the University of Kent found that over 40% of those infected with CryptoLocker actually agreed to pay the ransom demanded, which is a big incentive for hackers to target more systems. So, let’s all stay safe out there…it’s “wabbit season.”

Allan Liska is a Senior Solutions Architect at Recorded Future, and co-author of the book, Ransomware: Defending Against Digital Extortion. The following are links to information referenced previously mentioning Liska’s comments and opinions:

• https://www.theregister.co.uk/2017/10/26/bad_rabbit_post_mortem/
• http://www.bbc.co.uk/news/technology-41740768
• http://www.computerweekly.com/news/450428846/Bad-Rabbit-malware-raises-fears-of-third-global-ransomware-attack

Allan Liska – Ransomware Information:

• https://www.recordedfuture.com/podcast-episode-5/
• https://www.oreilly.com/people/bcb16-allan-liska

Recent Blogs

Beyond the Key: Strategies for Improving Password Security

May 02, 2024

This World Password Day, we’re taking a look at how password security has evolved, and what steps you can take to keep your accounts secure.

Streamline Certificate Issuance: Trusted Certificates for Sub Domains through GlobalSign’s ACME Service

May 01, 2024

New advancements to the ACME protocol now allow organizations to streamline certificate issuance for subdomains. Read on to find out more.

Popular Phishing Platform Gets Sacked, Change Healthcare Attack Data is for Sale on the Dark Web and Cybercriminals Leave the Lights on in Leicester, UK – April NewsScam

Apr 30, 2024

In April we’re still dealing with the fallout of the Change Healthcare attack, along with a cyberattack in the UK and the dissolution of an international phishing platform.

Bad Rabbit Ransomware Technical Analysis

Update: further analysis of the code revealed new information regarding the spread of bad rabbit across the network. this post has been updated to reflect this new information., bad rabbit ransomware background.

On the afternoon of October 24, 2017 (BST), a new strain of ransomware, dubbed “Bad Rabbit,” emerged. Early reports have indicated the strain initially targeted the Ukraine and Russia. Group-IB , a Russian Company, first broke the news and reported rapid infection rates as the new strain started to spread. Later reports from Kaspersky confirmed the spread to other parts of Eastern Europe.

The initial infection vector was reported to be a collection of compromised websites that redirected users to another site that was hosting the malicious software. Researchers at Cisco Talos reported that the site 1dnscontrol[.]com hosted the Bad Rabbit dropper in the path /flash_install.php on the server. The malicious download, masked as an Adobe Flash Player update, required user action for infection.

Currently, the original infrastructure used to distribute the malicious files appears to be down. But these, or other websites, hosting the malware could be activated again at any time, so it is important to implement prevention measures and educate users on the Bad Rabbit threat.

Bad Rabbit Ransomware Analysis

The execution of Bad Rabbit reveals several similarities between the ransomware and the behavior of the destructive NotPetya malware discovered in June of this year. The binary Bad Rabbit sample analyzed in this report was  SHA-256 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648 , while the NotPetya sample analyzed in our previous threat intelligence report was  SHA-256 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745.

A comparison of the two samples reveals a great deal of identical code overlap. Although this suggests code reuse, it cannot be confirmed whether the same actors responsible for NotPetya were responsible for the creation of Bad Rabbit.

Despite the code similarities, the two samples demonstrated many functional differences. Similarities and differences between the two samples are detailed below.

Significant Code Similarities

• Dumping SMB credentials from the local host
• Enumerating network hosts using Windows API calls such as NetServerEnum()
• Determining DHCP servers and enumerating subnets and subnet clients defined on those servers
• Testing each host’s 139 and 445 ports for write access
• Check for one or more files, subsequently writing them to the %WinDir% of the remote host if found
• Both attempt remote registry access control to Windows service functions.
• Both samples contain additional tools embedded as zlib-compressed (v. 1.2.8) resources in the binaries; however, Bad Rabbit additionally XOR encrypts the resources with 0xED prior to compression.
• Both samples have the ability to clear Windows event logs and delete the USN journal using the utilities wevutil and fsutil.
• Most interestingly, the two samples used the same algorithm for encryption of process names to check for particular antivirus products, although the functions were structured slightly differently and used a different seed (0x87654321 vs. 0x12345678). Further analysis is required to determine what these names decrypt to and how they are used.

Figure 2. NotPetya vs. Bad Rabbit Encrypted Process Name Comparison

Significant Code Differences

• Unlike NotPetya, Bad Rabbit uses the legitimate program DiskCryptor for full disk encryption, similar to the Mamba ransomware .
• Bad Rabbit does not enumerate partition information in order to overwrite the MFT.
• Bad Rabbit does not contain the wiping functionality of NotPetya, nor the custom bootloader.
• Bad Rabbit does not utilize the EternalBlue SMBv1 exploit or subsequently use psexec to infect remote systems.
• Bad Rabbit additionally uses UPnP to further fingerprint the remote system and determine available services.
• Bad Rabbit contains a hardcoded list of usernames and passwords used to try to brute force SMB logons on the local network.
• If installation and execution of a service on the remote host via svcctl fails, Bad Rabbit attempts to use WMI to infect the remote system.

EternalBlue and EternalRomance both exploit the vulnerability addressed in Microsoft Bulletin MS17-010 that targets SMBv1. LogRhythm Labs analysts believe, but have not definitively verified, that Bad Rabbit reportedly makes use of the EternalRomance exploit as described in the Cisco Talos report referenced earlier. While EternalRomance makes use of the same vulnerability as EternalBlue, it exploits the vulnerability in a different way. One public implementation of the EternalRomance exploit referenced by Talos works by crafting a custom transaction over SMB. If this transaction is crafted properly, the response is expected to contain leaked kernel pool data that can be exploited to open a named pipe over the IPC$ share that allows remote access to the host.

Summary of Execution

Upon execution, the dropper creates the DLL file %WinDir%\infpub.dat extracted from its resource section. This DLL is then executed by the dropper from its first ordinal, just as we saw with NotPetya, using the following command:

The “#1” in the above command represents the ordinal executed, and “15” is an argument passed to the DLL, which is used throughout the program as a seed value.

The Bad Rabbit DLL infpub.dat then creates the following files:

At least two scheduled tasks are created to ensure the execution of the encryption, but the DLL first attempts to delete the DiskCryptor client task named “rhaegal” (in case it is already installed) using the following command:

The two scheduled tasks are then created as follows:

• cmd.exe /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR %WinDir%\system32\cmd.exe /C Start \\ \%WinDir%\dispci.exe\ -id 848053675 && exit
• cmd.exe /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR %WinDir%\system32\shutdown.exe /r /t 0 /f /ST ::<HH>:<MM>:<SS>

The time, denoted by “::”, is calculated as an offset from the current system time. Artifacts of the deletion and creation of these tasks can also be detected in the registry and using SysMon.

A third set of scheduled tasks, named “viserion_, were also observed during the course of analysis, but the significance was not determined. The tasks were short-lived, each created with incrementing numbers beginning with one (i.e., viserion_1) and quickly deleted as a new task was created with the incremented value.

A service named “cscc” is then created and configured to start the DiskCryptor driver cscc.dat on boot. The service is registered as a Filter driver dependent on the FltMgr service. The malware also installs itself as a DumpFilter in the HKLM\SYSTEM\CurrentControlSet\Control\CrashControl registry key. This action ensures the driver will load upon a system crash. Additionally, the malware is configured to add the cscc service to the following registry keys hardcoded in the binary:

HKLM\System\CurrentControlSet\Control\CLASS\{71A27CDD-812A-11D0-BEC7-08002BE2092F}\LowerFilters

HKLM\System\CurrentControlSet\Control\CLASS\{4D36E965-E325-11CE-BFC1-08002BE10318}\UpperFilters

The malware then drops the Mimikatz-like binary to the %WinDir% directory from its resources section, with a four-character alpha-numeric filename and “.tmp” extension. Using the CoCreateGuid() API call, Bad Rabbit creates a unique ID used for a named pipe to assist in communication. The malware then executes the Mimikatz-like binary, as shown in the following example ( note: the file name and pipe GUID will vary per execution ):

After harvesting credentials, the malware then attempts to enumerate all vulnerable hosts on the network using the methods previously discussed. Once network hosts are identified, the malware attempts to connect to the remote systems in one of several ways:

• Using credentials dumped from the local host using CredEnumerateW()
• Using credentials dumped from the local host using the Mimikatz-like binary
• Using credentials chosen from the hardcoded list in the DLL
• Using svcctl to attempt remote registry control
• Using the EternalRomance exploit to gain access without valid credentials (unconfirmed)

Once the malware has gained access to the remote host, it checks for the existence of two files in %WinDir%: cscc.dat and infpub.dat. If these files are not found, the malware attempts to create them on the remote system. At the same time, the Bad Rabbit DLL will also attempt to create the service described previously on the remote system using the svcctl remote service control functionality of Windows. If the malware fails to install and start the service on the remote host, it will attempt to use WMI to remotely execute the malware. Each infected host will perform the same enumeration of the network and attempt to spread to all known hosts using these methods.

Once the time for the scheduled task drogon is reached, the system shuts down, rebooting to a custom MBR that displays a ransom note. The ransom note shown below, similar to that of NotPetya, advises the victim to connect to a Tor hidden service for remittance.

The Tor hidden service displays a dynamically resolving site that repeats the ransom demand.

Watch the screen capture: https://www.youtube.com/watch?v=XDWrnXbeH_Q

When the malware was initially discovered on Tuesday October 24th, the ransom demanded 0.05 BTC (about $295) and was set to increase after 40 hours have passed. As of Thursday October 26th, the ransom has increased to 0.1 BTC (about $591) and is set to increase again after another set of time.

It is not definitively known if the files can be recovered after the ransom is paid, so the usual recommendations for defending against and remediating ransomware still apply.

Security Recommendations for Mitigating Bad Rabbit Ransomware

As with most malware mitigations, regular system backups and patch management are the most useful measures in preventing widespread damage from ransomware. Maintaining good security measures such as password complexity enforcement, security product maintenance, and limiting user privileges also help to defend against attacks. Security measures, specific to Bad Rabbit, include:

• Due to the capacity to spread internally over SMB, it is important that any users with administrative access on the domain keep up to date on software patches as they come available and minimize their footprint on the network.
• As Bad Rabbit can use WMI for remote execution, it is imperative to evaluate the administrative rights of users with access to the system. Users who do not require administrative rights should be removed from the membership of such groups.
• Bad Rabbit still contains functionality to spread via the EternalRomance SMB exploit, so it is imperative to patch the vulnerability fixed in security update MS17-10 as soon as possible.
• Employing a tool that can monitor and verify the integrity of the MBR on the system can prevent its manipulation. If you are a LogRhythm customer, please reference the Appendix or the Community to access AI Engine and NetMon DPA rules to help you detect these threats.

Final Thoughts

Although the actors and motivation behind these attacks have not been definitively determined, LogRhythm Labs analysts have come to some conclusions. Due to the seemingly targeted attacks on Russia and the Ukraine, these attacks may not have intended to spread beyond these regions. Also, given the large overlap of code between the Bad Rabbit samples in this attack and the NotPetya samples seen in June of this year, it seems plausible that the same authors could be behind both attacks. Even though Bad Rabbit did not cause mass, widespread damage like NotPetya, incidents such as these still serve as a reminder of the importance of sound security practices.

Appendix A: IOCs

Appendix b: ai engine rules and netmon queries, ai engine rules.

The following are screenshots of AI Engine rules that can be deployed to detect specific Bad Rabbit IOCs. The exported rules are attached to the end of this blog post along with a NetMon DPA rule.

AI Engine Rules for LogRhythm Customers

In our ongoing effort to analyze and respond to Bad Rabbit, we’ve created a set of exported rules for our customers. Following are step-by-step instructions for importing the rules into your LogRhythm environment.

Download the AI Engine Rules

AI Engine Rule Import Procedure

Open the LogRhythm console. Navigate to the AI Engine tab via Deployment Manager > AI Engine Tab.

Select the .airx (AI Engine rule file format) files you wish to import, and select “Open.”

It is possible that an error will appear stating that the KB version is out of date with the AI Engine rules selected for import. If this occurs, upgrade your KB to the latest version, and perform this procedure again.

NetMon Queries

The following NetMon query will tailor the dashboard to identify instances of Bad Rabbit moving laterally. The query is designed for a NetMon dashboard and will display the establishment of an SMB connection, transmitting either a Bad Rabbit encryption or Mimikatz executable.

Acknowledgements

Thanks to LogRhythm Labs team members Erika Noerenberg, Andrew Costis, Nathanial Quist, and Brian Coulson for their continued work analyzing and reporting on Bad Rabbit ransomware.

BadRabbit Ransomware

Since October 24th, our Threat Intelligence team has been collecting many news related to a new family of ransomware named itself “BadRabbit.” This emerging threat seemingly first targeted institutions and companies in Russia and Ukraine, among them media group Interfax, Kiev’s metro system, and Odessa Airport. The ransomware spread towards other countries such as Bulgaria, Poland, Germany, Turkey and Japan. Some victims are also located in the US.

Back in August 2017, Security Service of Ukraine (SBU) first raised concerns about a possible future cyber-attack targeting Ukrainian institutions and companies, which suggests that this attack was set up for a long time ago.

What is Bad Rabbit? How Bad Rabbit Ransomware works

BadRabbit is a ransomware that encrypts both user’s files and hard drive, restricting access to the infected machine until a ransom in Bitcoin is paid to unlock it. It also has spreading features through SMB protocol.

Reverse-engineering BadRabbit code raises many similarities with NotPetya ransomware. However, various elements let us think that both campaigns are not that similar in their objectives:

• The delivery method differs: while NotPetya was able to execute the malicious file directly on many computers, BadRabbit compromised specific websites to deliver its payload and required user interaction.
• So far, BadRabbit made some 200 victims, far less than the number of victims the NotPetya attack affected.
• Except for sabotage, motivations may not be the same.

BadRabbit has been tied by security researchers to various threat actors, among them BlackEnergy, but deeper investigations will be required in order to confirm this statement.

Technical Part

The primo infection is made through an executable download: some popular websites have been compromised to trick visitors into installing a fake flash player update. For now, the ransom is set at 0.05 BTC (around $290), and is said to raise at a fixed timer.

Once installed the following actions occur on the infected machine:

• File encryption (list of impacted file extensions can be found below)
• Master Boot Record (MBR) encryption, blocking machine boot procedure
• Usage of the commom tool “Mimikatz” to harvest credentials that enables lateral movements in victims’ network.
• BadRabbit then tries to spread through SMB using different methods:

> using a hardcoded credential list > using harvested credentials > using Eternal Romance exploit

Is There a Bad Rabbit Ransomware Fix? Quick and dirty ways to prevent the payload execution have been found by security researchers (2):

• Create the following files c:\windows\infpub.dat & c:\windows\cscc.dat
• remove ALL the inherited PERMISSIONS for the two files created above.

What is Bad Rabbit Targeting?

Impacted File Types

Bad Rabbit ransomware encrypts the following types of files: .3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip

Network IOCs

Tor site on which the victim is asked to retrieve its decryption key: [http://caforssztxqzf2nm[.]onion]

Prior to payload download, victim’s fingerprinting information are posted on this url: http://185.149.120[.]3/scholargoogle/. This IOC can be used for detection.

Distribution url from which the payload is downloaded by the victim. This url must be blocked to avoid infection: hxxp://1dnscontrol[.]com/flash_install.php

Below is a list of compromised websites . These urls are not to block as is since they still are legitimate, however their requests should be closely monitored.

hxxp://argumentiru[.]com hxxp://www.fontanka[.]ru hxxp://grupovo[.]bg hxxp://www.sinematurk[.]com hxxp://www.aica.co[.]jp hxxp://spbvoditel[.]ru hxxp://argumenti[.]ru hxxp://www.mediaport[.]ua hxxp://blog.fontanka[.]ru hxxp://an-crimea[.]ru hxxp://www.t.ks[.]ua hxxp://most-dnepr[.]info hxxp://osvitaportal.com[.]ua hxxp://www.otbrana[.]com hxxp://calendar.fontanka[.]ru hxxp://www.grupovo[.]bg hxxp://www.pensionhotel[.]cz hxxp://www.online812[.]ru hxxp://www.imer[.]ro hxxp://novayagazeta.spb[.]ru hxxp://i24.com[.]ua hxxp://bg.pensionhotel[.]com hxxp://ankerch-crimea[.]ru hxxp://Adblibri[.]ro

How Can Airbus CyberSecurity Help? We prevent, protect, detect and respond to cyber threats of all sizes and types. Discover how we do this and learn more about our cyber security products and services today.

Airbus Defence and Space Cyber recrute !

Lancez votre carrière, get in touch to discover how we can support you, privacy overview.