Bad Rabbit Strikes
On October 24th, 2017, there were news reports about zero-day attacks with a ransomware called Bad Rabbit, targeting organizations and consumers, mostly in Russia. There were reports of a number of compromised websites, all of which were news or media websites.
What Is the ‘Bad Rabbit’ Ransomware?
This new strain of ransomware that struck a number of high profile institutions in Russia and Ukraine, such as the Russian news agency Interfax, the Kiev metro system and the Odessa airport. Bad Rabbit appears to target critical infrastructure and high profile entities in Ukraine and Russia. This new strain comes bundled with several open source tools that are leveraged for data encryption and lateral movement.
The following ransom message is displayed to unsuspecting victims:
How Does It Operate?
The malware dropper is distributed with the help of drive-by attacks. While the target is visiting a legitimate website, a dropper is downloaded onto the system. The victim manually executes the malware dropper, which pretends to be an Adobe Flash installer.
- The infection process starts with a fake Adobe Flash installer, downloaded from compromised websites.
- This fake Flash installer holds the actual ransomware payload in an overlay.
- Once decrypted, it drops and executes the actual ransomware (identified as b14d8faf7f0cbcfad051cefe5f3964
- The ransomware payload holds over 6 different tools (as ZLIB-compressed resources) used for encryption purposes, as well as for spreading the malware laterally.
Some Key Findings
Bad Rabbit is highly similar to NotPetya/ GoldenEye both structurally and from a broader perspective. Certain code analysis reports mentioned a notable similarity with ExPetr binaries as well.
- The ransomware component references Game of Thrones characters.
- Some of the strings used throughout the code are the names of different characters from the series
- Like GoldenEye, it also has a similar process hashing routine, where it verifies what security solutions were installed locally, before encrypting the MBR.
- Due to its implementation of Mimikatz which lets it move from one infected workstation to another across an organization, it is highly viral.
- It also features disk encryption. As a result it can interfere with the normal boot process and prevent the computer from booting.
The server from which the Bad rabbit dropper was distributed, is currently being reported as being down. Keep watching this space as we update this section with the latest findings.
Faronics Has You Covered
If you are using Faronics Anti-Virus , you don’t need to worry, as our solutions detect this threat as Gen:Heur.Ransom.BadRabbit.1 and Gen:Variant.Ransom.BadRabbit.1.
For more information on how to protect your organization from such zero-day threats, contact Faronics today.