Yesterday, researchers at Kaspersky observed notifications of a large–scale attack for the ransomware dubbed “Bad Rabbit.” Similar to Petya (a.k.a. NotPetya, ExPetr), the attack is bringing back bad and all–too–recent memories of global ransomware outbreaks. Bad Rabbit shares 67 percent of its code with Petya, which suggests the authors behind the attack are the same, or at least have bought (or stolen) the code from the original authors.

At the time of this post, attacks have been observed mostly in Russia and Eastern Europe, as well as Turkey, Germany and the U.S. The Russian targets are raising eyebrows as, traditionally, the Russian attack groups tend to avoid targeting the “motherland,” indicating this is unlikely to be a Russian threat actor. This would set it apart from the Petya outbreak in June of 2017, which some researchers speculated was a state–sponsored attack against Ukraine (i.e., by the Russians) masquerading as a global, distributed ransomware attack.

It’s not yet clear who’s behind Bad Rabbit (and Petya/NotPetya still has no known attribution), but consumers as well as businesses and critical infrastructure have been affected, including Kiev’s metro and Odessa Airport.

Bad Rabbit Uses Social Engineering to Infect

The infection vector starts by visiting a compromised website requesting an Adobe Flash update that downloads the malware. These are legitimate sites that have been hacked (see — but don’t visit — the list of compromised websites below).

Bad Rabbit doesn’t appear to be indiscriminately infecting targets; the server–side logic can determine if the visitor is of interest and then content is added to the page.

The infection is based solely on social engineering, needing the user to download and install the malware. Downloading the fake Adobe Flash update instead downloads and installs the malicious payload without exploiting any vulnerability.

Upon execution, it encrypts the files, installs its own bootloader in the master boot record (MBR) and schedules a reboot. After the system reboots, it displays the ransom note to the user, and the entire OS does not boot. This means that there is no access to the files via a different OS/system.

Lateral Movement Enables Spread of Ransomware

Bad Rabbit has lateral movement capabilities via the SMB protocol (the notorious ports 445 and 139), which may be how it’s reached as far as the U.S.

Unlike Petya/NotPetya and WannaCry, Bad Rabbit doesn’t use the EternalBlue exploits. Bad Rabbit spreads with the help of a Mimikatz–based module, extracting locally stored credentials. In addition, a brute force attack is used for spreading via commonly used usernames and passwords (hard–coded list).

It seems this ransomware is affecting only Windows users, and that the encrypted data is recoverable. So unlike Petya/NotPetya, it does seem we’re dealing with an actual ransomware and not a destroyer. The current payment demanded for decrypting files if 0.05 Bitcoins — around $285.

How to Stay Safe from Bad Rabbit

Organizations should prevent access to the known compromised websites through blacklisting and limit the use of the SMB protocol.

As Bad Rabbit doesn’t use vulnerabilities/exploits, patching does not apply.

Users should block the execution of file “c: \ windows \ infpub.dat, C: \ Windows \ cscc.dat.” in order to prevent infection.

Other cyber hygiene practices are also useful, including the use of strong passwords and limiting admin privileges only to necessary users.

List of Compromised Sites Delivering Bad Rabbit

  • Argumentiru[.]com
  • fontanka[.]ru
  • grupovo[.]bg
  • sinematurk[.]com
  • aica.co[.]jp
  • spbvoditel[.]ru
  • argumenti[.]ru
  • mediaport[.]ua
  • fontanka[.]ru
  • an-crimea[.]ru
  • t.ks[.]ua
  • most-dnepr[.]info
  • com[.]ua
  • otbrana[.]com
  • fontanka[.]ru
  • grupovo[.]bg
  • pensionhotel[.]cz
  • online812[.]ru
  • imer[.]ro
  • spb[.]ru
  • com[.]ua
  • pensionhotel[.]com
  • ankerch-crimea[.]ru

Bad Rabbit Authors Fans of GOT?

One lighthearted anecdote in this headache of infection: the threat group behind Bad Rabbit appear to be fans of Game of Thrones. The code contains references to the dragons in the show — Viserion, Drogon and Rhaegal. So, dragons eat bad rabbits…?

Related Posts

Petya Ransomware Attack — What We Know So Far: Petya (or NotPetya) spread quickly across Europe and the US, affecting business, government agencies and critical infrastructure

Petya NotPetya? Ransomware NotRansomware? A day after the Petya attack outbreak, we’re left with a plenty of questions and a bit more insight.