Bad Rabbit Ransomware

By   ISBuzz Team
Writer , Information Security Buzz | Oct 25, 2017 05:00 am PST

News has just broken a new wave of ransomware has hit several targets in Russia and Eastern Europe on Tuesday, according to media reports and several security companies. The malware, dubbed Bad Rabbit, has hit three Russian media outlets, including the news agency Interfax, according to Russian security firm Group-IB. Once it infects a computer, Bad Rabbit displays a message in red letters on a black background, an aesthetic used in the massive NotPetya ransomware outbreak. A Group-IB spokesperson said that a “new mass cyberattack” Bad Rabbit has targeted Russian media companies Interfax and Fontanka, as well as targets in Ukraine such as the airport of Odessa, the Kiev subway, and the Ministry of Infrastructure of Ukraine. IT security experts commented below.

Chris Doman, Security Researcher at AlienVault:

“This wouldn’t be the first time that an airport in Ukraine suffered a destructive cyber-attack and we are currently investigating to determine the strength of the links to the NotPetya attacks. There are reports that the mechanism involves using the tool Mimikatz to steal passwords to spread in a worm-like fashion but so far the damage does not seem as wide spread as WannaCry or NotPetya.”



...Manoj Asnani, VP Product and Design at Balbix:

“For organizations to effectively defend against attacks like Bad Rabbit, they need to have instant visibility into which of their assets are susceptible to the attack. On-tap visibility is very hard to achieve manually. Security teams must have automated systems in place that can continuously monitor these type of attack vectors and provide vital information instantly when needed. Organizations without automation in place are at a huge defensive disadvantage against fast spreading malware like this.”

Vyacheslav Zakorzhevsky, Head of Anti-Malware Research Team at Kaspersky Lab:

 “According to our data, most of the victims targeted by these attacks are located in Russia. We have also seen similar but fewer attacks in Ukraine, Turkey and Germany. This ransomware infects devices through a number of hacked Russian media websites. Based on our investigation, this has been a targeted attack against corporate networks, using methods similar to those used during the ExPetr attack. However we cannot confirm it is related to ExPetr. We continue our investigation.

Kaspersky Lab’s products detect the attack with the following verdicts: UDS:DangerousObject.Multi.Generic (detected by Kaspersky Security Network) and PDM:Trojan.Win32.Generic (detected by System Watcher).

We recommend that our corporate customers make sure that all protection mechanisms are activated as recommended; and that KSN and System Watcher components (which are enabled by default) are not disabled. To those companies that are not using our security solutions we recommend that they restrict execution of files with the paths c:\windows\infpub.dat and C:\Windows\cscc.dat using the System Administrator’s instruments.

Rich Campagna, CEO at Bitglass:

“The danger in new ransomware variants is the potential for spread to vulnerable devices. Where endpoints are not yet updated to detect these zero-day attacks, cloud app threat protection can serve as an organization’s first line of defense. As ransomware evolves and becomes more potent, the ability to identify malware in the cloud based on the characteristics of a file as opposed to hash or signature-based scans can prove critical.”


Allan Liska, Senior Solutions Architect at Recorded Future:

“Bad Rabbit appears to be a disruption campaign designed to look like a ransomware campaign, similar to NotPetya and WannaCry. To the best of our knowledge, the point of origin is a fake fake Adobe Flash update that populated across several popular Russian language websites. Once inside a network, Bad Rabbit spreads using a customized version of Mimikatz, along with a customized SMB spreader. It does not use the EternalBlue exploit, as some have reported. Instead it relies on local password dumps, as well as a list of common passwords, to attempt to move from one machine to another, trying to spread through the network.  The code itself is much more refined than what we saw with WannaCry and NotPetya, and it seems to have been well-tested, though it does rely heavily on a lot of command line script. Bad Rabbit uses a traditional payment portal for the ransom instead of asking victims to send an email.”

Moreno Carullo, Co-Founder and CTO at Nozomi Networks:

“Our research shows that the group behind Bad Rabbit have spent considerable time creating their ‘infection-network,’ going back at least to July, with the majority of sites relating to media and news.

“When a victim visits what they believe is a legitimate site, they are instructed to download an Adobe Flash installer/update. Given that the attackers are targeting media and news sites, that have previously employed Flash to enhance the visitor experience, this request may not immediately arouse suspicion – but it should!

“If the user follows the redirection the attack begins and the ransomware dropper (distributed from: hxxp://1dnscontrol[.]com/flash_install.php) downloads.

“As soon as the victim executes the dropper, for which admin privilege is needed, a malicious DLL named infpub.dat is saved and is then run using the usual utility rundll32.

“Our experience executing the infpub.dat file is that it then seems to try to brute-force NTLM [NT LAN Manager] login credentials and download an executable dispci.exe, which appears to be derived from the well-known utility DiskCryptor code – a disk encryption module. The execution of the last file downloaded begins the encryption phase and the replacement of the bootloader as already seen in previous NotPetya attacks.

“Prevention is always better than cure as, if infected, it is never advisable to pay the ransom as it is not guaranteed that the criminals will honour the agreement and restore systems/data. Organisations need tools that will help them immediately identify when something ambiguous is happening within the infrastructure. Applying artificial intelligence and machine learning for real-time detection and response, organisations can monitor for malware to rapidly discover and act to remove malicious code and the risks posed before harm is done.”

Carl Leonard, Principal Analyst at Forcepoint:

“Cyber attacks using malware called “Bad Rabbit” were reported in Ukraine and Russia beginning Tuesday, October 24th, causing disruptions to Ukraine’s transportation infrastructure, Russian media outlets, and several other organizations. Our Security Labs team is investigating the attacks and will have updates forthcoming. Security Labs have added the following protection updates in light of this attack:

  • Real Time updates detect injections on websites compromised to serve the attack
  • URL categorization for domains and strings that are hosting malicious components
  • Malicious files are detected as W32/DiskCoder.A.gen!Eldorado and W32/DiskCoder.B.gen!Eldorado

“This appears to be one of the biggest attacks since the Petya/NotPetya cyber attack in June 2017 that first hit Ukraine and spread around the world. In October of 2016 Forcepoint Security Labs warned of the perils of rogue software updates being delivered by automated software update mechanisms in our Freeman Report.

“We will continue to see massive attacks with economic, employee and public safety ramifications. And the methods will continue to evolve, including the evasive methods to hide their activity as well as their true intent.  The trick will be to better understand the human points in these attacks.  The intent or motivations of the attackers can range broadly including financial gain, revenge, political or hacktivism. Understanding these intentions can help shape our security strategies.

But it is even more important to understand the human point we call the ‘user.’ How do they interact with the Internet, and with various applications? What privileges do they need, and how do they use the privileges they have?  This is a key part of how researchers predict future shifts in the threat landscape. Understanding your organization’s ‘human point’ can produce more effective security strategies.”

Gabriel Gumbs, VP of Product Strategy at STEALTHbits Technologies:

“BadRabbit concerns us greatly because unlike most ransomware we have observed in the past, this variant is also using the open source tool Mimikatz to harvest credentials. This could simply be to widen its reach internally for the purpose of further encrypting the files of users with elevated privileges, it may be being used to hide inside of compromised networks, or the ransom itself could be a decoy from the attack’s real purpose.  What we can definitively say today is the only reason you would package Mimikatz with ransomware is for the purpose of further exploiting internal networks – not simply to ransom files.”

Amichai Shulman, CTO at Imperva: 

“At the end of the day, all Ransomware is basically the same. Hackers via the ransomware malware are making files unavailable to users and as a consequence disrupt the operations. As long as the infection and effect of the Ransomware is constrained to end points, the damage to organizations should be minimal. That is key.

Some might say – why after WannaCry and NotPetya are systems still unpatched? The issue of patching is irrelevant when looking at a potentially self-replicating malware like Bad Rabbit because in any large network there will be some unpatched devices. By protecting file servers (e.g. deploying File Firewall solutions) rather than focusing on endpoints organizations can minimize the effect of such incident and avoid disruption to business.”

Tony Rowan, Chief Security Consultant at SentinelOne:

“This latest outbreak confirms that attackers will reuse old code as long as it still has success. Indications are that this new variant continues to have success. Given that the propagation mechanism is based on EternalBlue, it surprises me that so many people haven’t patched their systems.  Even more, they continue to rely on the legacy AV products which these types of malware evade so easily.”


Paul Dignan, Senior Systems Engineer at F5 Networks:

“The Bad Rabbit infection is not captured by most common anti-virus solutions, which means users could be infected without knowing. Initial analysis indicates that the malware script identifies target users and presents them with a bogus Adobe Flash update prompt. When the user accepts this, malware is downloaded and the encryption attack takes place. In the absence of stringent controls and appropriate security solutions, businesses are left in the hands of their users.”

“As with many aspects of information security, prevention is better than cure. Unfortunately, ransomware is difficult to totally prevent and there is no silver bullet for protecting against this type of attack. The best methods currently available include reliable backups hosted outside of the network and maintaining an up-to-date response plan. In addition, organisations need systems such as SSL to inspect devices. It is also important to filter and monitor emails for phishing attacks, clean encrypted traffic that may be hiding malicious software, as well as reduce and restrict full administrative privileges to contain damage from a compromised account. As ever, all organisations need to ensure that substantive user training and education takes place on a regular basis.”

Adam Meyers, VP of Intelligence at CrowdStrike:

“CrowdStrike Intelligence has observed that a cyber-attack leveraging ransomware-style malware called BadRabbit was targeting entities in Eastern Europe. Initial investigation of this activity suggests several parallels with the destructive NotPetya malware that targeted Ukrainian interests in June 2017, although verification of these overlaps is ongoing at this time. To date, CrowdStrike Intelligence has found that BadRabbit and NotPetya DLL (Dynamic Link Library) share 67% of the same code, giving us reason to believe the same actor is likely behind both attacks. Bad Rabbit is likely delivered via the website argumentiru[.]com which is a current affairs, news and celebrity gossip website focusing on Russian and near-abroad topics. CrowdStrike Intelligence can confirm that this website was hosting a malicious JavaScript inject as part of a Strategic Web Compromise (SWC) attack on 24 October 2017.”

“Additionally, BadRabbit and NotPetya DLL (Dynamic Link Library) share 67% of the same codebase, which gives CrowdStrike Intelligence reason to believe that the same actor is likely behind both attacks.”

Andrew Clarke, EMEA Director at One Identity:

“Take 2 and Action!  – Winter is Coming – In the Game of Thrones, the meaning behind these words is one of warning and constant vigilance – and in the world today,  a real-life Game of Threats continues and companies really do need to up their game in being more vigilant.   With a new improved variant, Win32/Diskcoder.D a modified version of Win32/Diskcoder.C emerges with a new name “Bad Rabbit”.   Source code analysis contains references to Game of Thrones dragon characters, Drogon; Rhaegal and Viserion.  Bugs in file encryption have now been fixed and use DiskCryptor, an open source legitimate software used to do full drive encryption. Keys are generated using CryptGenRandom and then protected by hardcoded RSA 2048 public key.  A powerful upgrade now being unleashed with organisations in Russia, Ukraine, Bulgaria and Turkey at the top of the hit list.   This time a fake “flash” update appears to be implicated but it seems that as the organisations were hit around the same time that the attackers likely had a foot in their network already.

Once hit; their data gets encrypted and for a bitcoin fee of 0.05 — approximately $280 –  the affected company has the chance to acquire the decryption keys but only before a count-down of 41 hours expires!  Despite industry warnings issued after the Petya, and not-Petya outbreaks earlier this year, this variant which spreads laterally using SMB shares – could be blocked by denying this communication channel [ports 137, 138, 139 and 445] on their firewalls.  But organisations appear not to have followed this advice.  Best practice advice is not to pay the ransom, and ensure that data is backed up so systems can be recovered if impacted.   Also to ensure systems are patched and up to date as well as controlling administrative access across a network.”

Peter Groucutt, Managing Director at Databarracks:

What is ransomware and how does it happen?

Ransomware is malware that, upon infection, prevents access to certain elements of your systems until a ransom is paid to the attackers. There are many different strains of ransomware, which variously encrypt data and system files, through a range of possible attack vectors.

What actually happens?

Regardless of what the ransomware attacks, the methods are broadly the same: attackers exploit a security vulnerability or backdoor in order to infiltrate the victim’s systems silently and encrypt critical systems and data.

Attackers then demand payment (often in an untraceable cryptocurrency, such as Bitcoins) within a specified time frame. If the victim fails to pay in time, or attempts to remove the malware manually, attackers destroy the unique decryption key, and any compromised data and systems will be permanently irretrievable.

Who is being targeted, and why?

The short answer is everyone – individuals and organisations alike.

Cybercrime is big business, and ransomware is popular for a reason: it’s a low-investment, high-yield form of attack, with little technical barrier to entry. Malicious groups and individuals can now purchase ransomware capabilities as discrete tools with full GUIs on places like the Dark Web, or even as a managed service from criminal providers.

This increased accessibility has significantly broadened the variety of potential attackers in recent years, and as such it’s hard to generalise around the motivations of individuals. Whether it’s lone actors operating from a bedroom, a politically-motivated hacktivist, or an international criminal organisation with salaried employees, everyone is a target to someone.

Larger organisations with valuable datasets and a public reputation to protect obviously represent high-value targets, and often attract the most sophisticated attacks as a result.

Why are these attacks so successful?

Whoever the target is, the rise of cryptocurrencies has increased the degree of anonymity afforded to criminals taking ransom payments.

Cyber criminals balance risk and reward.  Taking payments as cryptocurrency means the reward has stayed constant, whilst the risk of being caught has dropped significantly.

How to recover

If you are hit with a ransomware attack you essentially have two options. You can either recover the information from a previous backup or pay the ransom. However, even if you pay the ransom, there is no guarantee that you will actually get your data back, so the only way to stay fully protected is to have historic copies of your data.

When recovering from ransomware, your two aims are to minimise the amount of data loss and to minimise the amount of IT downtime.

Although outright prevention of ransomware is impossible, there are simple yet essential steps organisations can take to reduce the risk and impact of attacks.

Recommendations for recovery

It is vital that the Incident Response Team or Crisis Management Team has the authority to be able to make large scale, operational decisions to take systems offline to limit the spread of infection.

You must then find when the ransomware installation occurred in order to be able to restore clean data from before the infection.

Once the most recent clean data is identified you can begin a typical recovery, restoring data and testing before bringing systems back online again.

Patrice Puichard, Senior Director – EMEA at SentinelOne:

“From our analysis, ‘Bad Rabbit’ was a new and unknown ransomware as of yesterday,  but contains code from Petya ransomware. The dropper is downloaded by users when they visit infected websites and appears as a Flash Player installer (install_flash_player.exe). Once executed, it behaves like a traditional ransomware, encrypting files and asking for a ransom to decrypt them. It is also modifying the boot loader like Petya/notPetya.

The ransomware started in Russia and Ukraine: according to ESET, 65% of the victims are from Russia, 12.2% in the Ukraine and has targeted countries in Eastern Europe, Turkey and Japan. As Russia was the origin of the attack, by the time it takes to reach the US it’s a known and blocked attack by signature-based antivirus, as well as already having been detected by solutions which are not signature-dependent.

As a side note, the hackers who wrote the ransomware seem to be fans of Game of Thrones as the source code contains references to characters from the series.

Notify of
0 Expert Comments
Inline Feedbacks
View all comments

Recent Posts

Would love your thoughts, please comment.x