Emerging Threat: Bad Rabbit Ransomware

On Tuesday, 24th October, a new widespread ransomware called ‘Bad Rabbit’ has emerged. It has affected over 200 major organizations, in Europe, Russia, Ukraine, Turkey and Germany. Numerous websites, an airport system and an underground railway system were compromised. 

The ransomware bears similarities to the WannaCry and Petya outbreaks earlier this year. It demands 0.05 bitcoin as ransom from victims to unlock their systems.

Unlike other recent malware epidemics which spread through more passive means, Bad Rabbit lures the victim into downloading and manually executing a pretentious Adobe Flash installer file, thereby infecting themselves.

Infected computers are directed to a Tor domain where they are asked to pay 0.05 Bitcoin in exchange for their data. A countdown on the site shows the amount of time before the ransom price increases. *

Technical Details

The ransomware was distributed via drive-by download attacks, using fake Adobe Flash player installer to lure victims' in to install malware unwittingly.

Bad Rabbit does not use the leaked SMB vulnerability (EternalBlue exploit) which was used by WannaCry and Petya ransomware to spread through network.

Instead it first scans internal network for open SMB shares, tries a hardcoded list of commonly used credentials to drop malware, and also uses Mimikatz post-exploitation tool to extract credentials from the affected systems.

This ransomware's infection vector is via a fake Flash Update notification on a select few Russian and Ukrainian websites: 
 

Visiting any of these compromised web sites will trigger the flash update pop-up. The next phase of the infection will redirect the victim to the ransomware distribution site: hxxp://1dnscontrol[.]com/flash_install.php 

Bad Rabbit malware has been detected as 'Win32/Diskcoder.D' — a new variant of Petya ransomware, also known as Petrwrap, NotPetya, exPetr and GoldenEye.

Bad Rabbit ransomware uses DiskCryptor, an open source full drive encryption software, to encrypt files on infected computers with RSA 2048 keys.

Task Scheduler is used to schedule a reboot, which then shows the ransom note, in red text on a black screen. 

The ransom note asks victims to log into a Tor onion website to make the payment, which displays a countdown of 40 hours before the price of decryption goes up.

Ransom. BadRabbit affects all Microsoft Windows platforms. 

How to Protect Yourself from the Ransomware?

• Disable WMI service to prevent the malware from spreading over your network.
• Since ransomware spread through phishing emails, malicious adverts on websites, and third-party apps or programs, be cautious when opening uninvited documents sent over an email and when clicking on links inside those documents unless verifying the source to protect against such ransomware infection.
• Also, never download any app from third-party sources, and read reviews even before installing apps from official stores.
• To always have a tight grip on your valuable data, keep a good backup routine in place that makes their copies to an external storage device that is not always connected to your PC.
• Make sure that you run a good and effective anti-virus security suite on your system, and keep it up-to-date.
• Make sure that all protection mechanisms are activated as recommended.
• Update antivirus databases immediately.

More information can be found on the following links:

1. https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Tibbar.A
2. https://www.kaspersky.com/blog/bad-rabbit-ransomware/19887/
3. https://thehackernews.com/2017/10/bad-rabbit-ransomware-attack.html
4. https://techcrunch.com/2017/10/24/badrabbit-notpetya-russia-ukraine-ransomware-malware/?ncid=rss
5. http://www.bbc.com/news/technology-41740768

For more information on the topic and our Cyber Security Solutions & Services, please contact us by mail security@birger.technology.