Bad Rabbit Ransomware

Summary

On October 24th 2017, a new strain of ransomware was discovered attacking computers in multiple networks primarily in located Russia, but also including Ukraine, Turkey, Bulgaria, and Germany. The malware, dubbed ‘Bad Rabbit’, affected organisations including the Russian news services Interfax and Fontanka, along with an airport and underground railway located in Ukraine.

A fake Adobe Flash installer has been determined to be the initial delivery method of Bad Rabbit, with multiple hacked Russian media websites hosting the fake software that installs the ransomware once a user has visited the website. It targeted Windows machines running on corporate networks, using similar methods to a recent ransomware attack ‘NotPetya’. As it stands, there are no signs that Bad Rabbit’s infection mechanism involved any new exploits, instead, it solely relied on the user clicking and downloading a fake Adobe Flash installer, and running the executable themselves.

Once the executable is run by a user, documents are encrypted by the malware and the user is directed to a website located on the TOR network. On October 24th, the website instructed the user to pay a fee of 0.05 Bitcoin to decrypt files, valued at £208 at the time. Since then the decrypting fee has been updated to 0.1 BTC, currently valued at £448. The website also contains a countdown timer which dictates when the price for decrypting the machine will increase next.

Several similarities have been discovered between Bad Rabbit and ransomware NotPetya, first seen in June 2017. Both NotPetya and Bad Rabbit:

  • Use Mimikatz to steal user credentials
  • Request approximately $300 as ransom
  • Use TOR as a payment portal
  • Use AES-128 and RSA-2048 for encryption
  • Spread laterally inside a network using the Windows Management Instrumentation Command-Line (WMIC) and Microsoft’s Server Message Block (SMB) Protocol.

A key difference between the two pieces of ransomware with regard to using the SMB protocol is that Bad Rabbit uses an exploit largely based on EternalRomance, whereas NotPetya utilized EternalBlue, also employed by WannaCry, both of which are leaked NSA exploits.

The fact that these similarities exist asks questions about the motives of the distributors of the malware. After NotPetya was reverse engineered, it was discovered that there was no mechanism to decrypt the files of a user once they pay the ransom, indicating that the aim of the ransomware was purely to cause chaos and not make profit. Additionally, NotPetya was designed to cause damage to Ukrainian targets, exploiting Ukrainian accounting software MeDoc, so it appeared in many ways to be a Russian state-sponsored attack. The fact that the majority of victims of Bad Rabbit are Russian, contradicts the argument that NotPetya was in fact Russian state-sponsored.

Detection and Prevention

Bad Rabbit is now detectable by most anti-virus software, at the time of writing, 55 out of 65 AVs make detections, according to malware scanning website Virus Total. It is recommended that the latest virus database definitions are installed and the antivirus software itself is also up to date. Windows Defender provides a way of checking whether a PC has been infected and the potential steps to take should the PC be infected. The first step being to check whether IDs 1102 and 106 are present in the Windows event logs. If they are present the next step is to run the ‘shutdown –a’ command to prevent the PC from rebooting and therefore encrypting the files.

A vaccination has also been discovered which will prevent Bad Rabbit from being able to encrypt the data on a Windows machine. Amit Serper, a malware researcher at Cybereason, found that including two files with their permissions fully removed, named infpub.dat and cscc.dat, in the C:\Windows folder would halt the attack. More detailed instructions are available on the Cybereason website. Although this technique has been proven to work, the better approach is to let an appropriate up to date antivirus software deal with the threat.

Indicators of Compromise (IOCs)

 

Hashes

install_flash_player.exe – Win32/Diskcoder.D Dropper:

  • fbbdc39af1139aebba4da004475e8839 (MD5)
  • de5c8d858e6e41da715dca1c019df0bfb92d32c0 (SHA1)
  • 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da (SHA256)

dispci.exe – Win32/Diskcoder.D Lockscreen:

  • b14d8faf7f0cbcfad051cefe5f39645f (MD5)
  • afeee8b4acff87bc469a6f0364a81ae5d60a2add (SHA1)
  • 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93 (SHA256)

infopub.dat – Win32/Diskcoder.D Diskcode:

  • 1d724f95c61f1055f0d02c2154bbccd3 (MD5)
  • 79116fe99f2b421c52ef64097f0f39b815b20907 (SHA1)
  • 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648 (SHA256)

page-main.js – JavaScript on compromised sites:

  • 4f61e154230a64902ae035434690bf2b96b4e018 (SHA1)

Win32/RiskWare.Mimikatz.X Mimikatz (32-bit):

  • 347ac3b6b791054de3e5720a7144a977 (MD5)
  • 413eba3973a15c1a6429d9f170f3e8287f98c21c (SHA1)
  • 301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c (SHA256)

Win64/Riskware.Mimikatz.X Mimikatz (64-bit):

  • 37945c44a897aa42a66adcab68f560e0 (MD5)
  • 16605a4a29a101208457c47ebfde788487be788d (SHA1)
  • 2f8c54f9fa8e47596a3beff0031f85360e56840c77f71c6a573ace6f46412035 (SHA256)

Domains

  • hxxp://caforssztxqzf2nm[.]onion
  • hxxp://1dnscontrol[.]com/flash_install.php
  • hxxp://1dnscontrol[.]com/install_flash_player.exe
  • hxxp://argumentiru[.]com
  • hxxp://www.fontanka[.]ru
  • hxxp://grupovo[.]bg
  • hxxp://www.sinematurk[.]com
  • hxxp://www.aica.co[.]jp
  • hxxp://spbvoditel[.]ru
  • hxxp://argumenti[.]ru
  • hxxp://www.mediaport[.]ua
  • hxxp://blog.fontanka[.]ru
  • hxxp://an-crimea[.]ru
  • hxxp://www.t.ks[.]ua
  • hxxp://most-dnepr[.]info
  • hxxp://osvitaportal.com[.]ua
  • hxxp://www.otbrana[.]com
  • hxxp://calendar.fontanka[.]ru
  • hxxp://www.grupovo[.]bg
  • hxxp://www.pensionhotel[.]cz
  • hxxp://www.online812[.]ru
  • hxxp://www.imer[.]ro
  • hxxp://novayagazeta.spb[.]ru
  • hxxp://i24.com[.]ua
  • hxxp://bg.pensionhotel[.]com
  • hxxp://ankerch-crimea[.]ru

If you are concerned that you may potentially be at risk of such malware or other cyber threats currently in circulation then please do not hesitate to contact us at: enquiry@zepko.com.

Related reading

Petya: https://news.zepko.com/petya-ransomware-cyberattack-on-european-businesses-and-infrastructure

References

https://www.cybereason.com/blog/cybereason-researcher-discovers-vaccine-for-badrabbit-ransomware?_ga=2.117637504.848176849.1508915852-485795125.1508915852

https://www.virustotal.com/#/file/8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93/detection

https://www.wired.com/story/badrabbit-ransomware-notpetya-russia-ukraine

https://inthreat.com