BadRabbit ransomware: suggested readings

Spreads via network, currently hits Russia, Ukraine, Germany, Japan, and Turkey

A variant of Petya/NotPetya/EternalPetya called BadRabbit and probably prepared by the same authors has infected several big Russian media outlets.

BadRabbit uses SMB to propagate laterally with a hardcoded list of usernames and passwords.

However, unlike NotPetya, it doesn’t use EternalBlue.

Below some suggested readings regarding this threat:

A wave of ransomware infections is hitting hundreds of government, media, transportation, and other targets in Eastern Europe today mainly in Russia and Ukraine, but also in Bulgaria, Germany, and Turkey.
Among the most high-profile targets thus far are major news outlets such as Russia’s Interfax Agency, and Ukraine’s Kiev Metro, its Odessa International Airport, and ministries of infrastructure and finance.

'Bad Rabbit' Ransomware Attacks Rock Russia, Ukraine - and Beyond

US-CERT discourages individuals and organizations from paying the ransom, as this does not guarantee that access will be restored. Using unpatched and unsupported software may increase the risk of proliferation of cybersecurity threats, such as ransomware.

Multiple Ransomware Infections Reported

ESET discovered that in the case of the Kiev Metro, the malware used for the cyberattack was Diskcoder.D, — a new variant of ransomware known also as Petya.

Kiev metro hit with a new variant of the infamous Diskcoder ransomware

BadRabbit was first spotted attacking Russian media outlets on Tuesday, including the news agency Interfax, according to security firm Group-IB, which posted a screenshot of the ransom screen. Other security firms have followed with their own early research and detections, with the consensus being that the malware is a variant of the Petya ransomware.

BadRabbit #cryptor attacked a number of Russia's major media. @interfax_news


The attackers are demanding 0.05 bitcoin as ransom — or about $280 at the going exchange rate.

New, Crippling Waves of Ransomware Spread In Russia, Ukraine

According to our findings, the attack doesn’t use exploits. It is a drive-by attack: Victims download a fake Adobe Flash installer from infected websites and manually launch the .exe file, thus infecting themselves.

Bad Rabbit: A new ransomware epidemic is on the rise

Countries we know to be impacted so far are Russia, Ukraine, Turkey, Bulgaria, and Germany, with attacks centered on targets as wide-ranging as infrastructure, transportation, and media outlets.
The dropper is an executable that pretends to be a Flash update. The malware must run with Administration privileges, but no UAC bypass technique has been deployed — it relies purely on social engineering, trying to convince the user to elevate it.

If Bad Rabbit infects your computer, it attempts to spread across the network using a list of usernames and passwords buried inside the malware.
These credentials include passwords straight out of a worst passwords list.

Bad Rabbit ransomware outbreak

It seems to be delivered via malicious URL as fake flash update:

InfoSec Community Forums - SANS Internet Storm Center

Russian business newswire Interfax suffered a hacker attack that made part of its services unavailable to subscribers, according to a statement Tuesday.

Russian News Agency Interfax Faces 'Unprecedented' Hacker Attack

The virus like Petya.A, which hit computers around the world in late June, today, October 24, infected computers of the Kyiv Metro, a source told Front News International.

Petya.A ransomeware strikes Kyiv metropolitan - sourse

A new massive ransomware campaign is rapidly spreading around Europe, the malware dubbed Bad Rabbit has already affected over 200 major organizations mainly in Russia, Ukraine, Germany, Japan, and Turkey in a few hours.

Bad Rabbit ransomware rapidly spreads, Ukraine and Russia most targeted countries

Infected computers display a screen informing users that their files have been encrypted and instructing them to access a website over the Tor anonymity network.
The Tor site tells victims to pay 0.05 bitcoin, worth roughly $283, to obtain the key needed to recover the encrypted files.

'Bad Rabbit' Ransomware Attack Hits Russia, Ukraine | SecurityWeek.Com

Bad Rabbit ransomware uses DiskCryptor, an open source full drive encryption software, to encrypt files on infected computers with RSA 2048 keys.

BadRabbit ransomware uses the code from DiskCryptor (a legitimate utility for disk encryption).


Bad Rabbit: New Petya-like Ransomware Rapidly Spreading Across Europe

The infpub.dat file prominent in today’s attack will also install another malicious executable called dispci.exe.

It creates tasks in the registry to launch the executable; the tasks are named after the dragons in Game of Thrones: Viserion, Drogon and Rhaegal.

There’s also a reference to a Game of Thrones character GrayWorm in the code.

BadRabbit Ransomware Attacks Hitting Russia, Ukraine

Initial reports peg the main casualties as transport systems and media outlets in Ukraine and Russia. The Ukranian arm of CERT (CERT-UA) has also issued an advisory warning of further potential ransomware attacks.

Bad Rabbit Ransomware Spreads via Network, Hits Ukraine and Russia - TrendLabs Security Intelligence Blog


ESET confirms Discoder/#Petya/#BadRabbit campaign live today, incorporating #Mimikatz distribuded via fake flash. More info soon.


Vaccination for the Ukraine round 2? Wanna stop #badrabbit? Create a file called c:\windows\infpub.dat and remove all write permissions for it. This should keep the malware from encrypting. Testing it now...


Video of #BadRabbit in action, from @anyrun_app (doesn't show reboot)


List of #BadRabbit and #NotPetya / #ExPetr targeted file extensions. Similar but not identical.


BadRabbit ransomware: suggested readings was originally published in So Long, and Thanks for All the Fish on Medium, where people are continuing the conversation by highlighting and responding to this story.

Article Link: