The new strain of ransomware known as Bad Rabbit, was first spotted on October 24^th, 2017. The ransomware is the third major spread of malware this year as it follows the wider-reaching WannaCry and NotPetya strains of malicious code.  So far, security firms such as Kaspersky and ESET have both noticed ties to the malware known as NotPetya or ExPetr.

 

Infection Method and Impact

The initial infection of Bad Rabbit occurs via a fake Adobe Flash installer offered up for download, which carries the malware that is triggered upon firing up the EXE file.

 

The files contained in the malware are:

• Dropper (install_flash_player.exe)
• Main payload DLL (infpub.dat)
• Ransomware component (dispci.exe)
• Mimikatz for x86 and x64
• Legitimate DiskCryptor drivers for x86 and x64 (C:Windowscscc.dat)

After being executed, it drops and deploys the main module in the C:Windows directory, which will encrypt all files with a specific extension and execute a bootlocker with a ransom note similar to the Petya/NotPetya ransomware. It is to be noted that the malware must run with Administration privileges.

Bad Rabbit has an infector allowing lateral movements, using SMB to propagate laterally with a hardcoded list of usernames and passwords. However, unlike NotPetya, it doesn’t use EternalBlue and is more widely spread.

Computers infected with the malware redirect the user to a “.onion” Tor domain where they are asked to pay .05 Bitcoin or roughly $276 USD in exchange for their data. A countdown on the site shows the amount of time before the ransom price goes up.

 

Who is affected by this ransomware so far?

Security firm Kaspersky’s research suggests this is an attack on corporate networks, and has affected the Interfax news agency and other publishers over in Russia. In Ukraine, Kiev’s public transport system was also reportedly hit, as well as the Ministry of Infrastructure. Odessa airport has apparently been affected, too.

Additionally, several organizations in US, Turkey, Germany, and many other countries are also affected. As this is an ongoing event, more organizations are expected to be impacted by this ransomware.

 

Preventive measures that can be taken against Bad Rabbit

• Block the execution of the c: windows infpub.dat and c: Windows cscc.dat files.
• If unused, disable the WMI service to prevent the malware from spreading through your network.
• If a proxy solution is available, filter requests to/from domains infected by the malware.
• Microsoft has issued a security advisory to check event logs for the following IDs: 1102 and 106 and run a defender offline scan to prevent the ransomware from rebooting the affected system.

 

Ransomware Prevention Tips

To avoid Bad Rabbit ransomware and other file-encrypting infections in the future, make sure that the following simple recommendations are implemented in your security strategy:

• Be sure that all software is updated
• Use a web filtering solution to monitor and block infection vectors
• Have an updated antivirus solution
• Have an updated IPS with the latest rules definition
• Back up your data regularly
• Double check all emails with attachments before opening them
• Do not click on suspicious URLs
• Install browser plug-ins to block pop-ups and JavaScript
• Regularly scan your computer and apply the latest updates

 

These techniques are certainly not a cure-all, but they will add an extra layer of protection to your security setup.