Reports starting to come in on Tuesday, the 24th of October, according to which a new ransomware outbreak has targeted a series of corporate networks and institutions in Russia and Ukraine. The new ransomware is identified as Bad Rabbit ransomware and it also reportedly attacked targets in other countries like Bulgaria, Turkey, and Germany. The initial targets were media outlets in Russia, including Interfax who reported an unprecedented virus attack that brought systems down, while Kaspersky reported a similar attack at another Russian media company – Fontanka.ru. Other important targets in Ukraine include the Ministry of Infrastructure, the airport in Odessa and the metro in Kiev – although, in case of the metro, the ransomware strain was not confirmed, its behavior leads the investigators to attribute it to Bad Rabbit ransomware.
Bad Rabbit ransomware distribution
Unlike the majority of ransomware attacks, Bad Rabbit ransomware is a drive-by attack. It does not rely on email SPAM campaigns, but instead, it uses social engineering to trick victims into installing the dropper on the machines. The dropper is disguised as an Adobe Flash Player update and it is distributed via hacked legitimate websites as well as malicious websites. Once the dropper executes, it downloads the payload which in turn attacks the machine.
Bad Rabbit ransomware attack details
Believed to be a variant of notPetya, it encrypts user files in popular formats (doc, docx, jpeg, etc) and then replaces the MBR in a similar way. Petya/ NotPetya are similar variants of Diskcoder, one of the first ransomware to attack the Master Boot Record. Access to files is lost and there is no possibility to reverse the encryption. Bad Rabit ransomware also attacks network computers by attempting to gain access to valid credentials using the open-source tool Mimikatz and trying a series of hardcoded credentials. The hardcoded credentials contain references to the movie Hackers (1995) as well as a list of popular usernames and passwords. Next, the credentials are used to infect computers via SMB, similarly with the NotPetya outbreak. However, in this case, the ransomware attempts to use valid credentials, instead of exploiting an SMB vulnerability – like in the case of Not Petya.
When the payload runs:
- It creates 3 scheduled tasks that launch part of the ransomware functionality;
- It creates the [System disk]:\Windows\infpub.dat file and runs rundll32.exe which will encrypt the files on the computer. The encryption process occurs directly on the same file: first, the file is read, then the contents of the files are overwritten with the encrypted data. Both the name and the extension of the files are preserved;
- Once the encryption is over, the ransomware reboots and attempts to modify the MBR using the [System disk]:\Windows\dispci.exe process;
- Next, it reboots again, and after this step, the ransomware loader will boot instead of the operating system, displaying the ransom note, while performing a disk level encryption of the disk volumes.
Once the computer is compromised, it displays a ransom message with red characters over a black screen, similar to the outbreaks of NotPetya and WannaCry. The victims are directed to a domain in the anonymous network (TOR) and instructed to pay 0.05 BTC to restore data on a machine. To add more pressure, the attackers include a timer in the ransom screen which gives victims 40 hours to pay the ransom. If the countdown reaches zero, the price for recovery increases.
Bad Rabbit ransomware recovery
As always, victims are encouraged NOT to pay the ransom, to prevent further attacks and discourage attackers, despite the fact that if Bad Rabbit ransomware successfully compromises a computer, the process is irreversible, in lack of OS image and file backups. Tests performed by Anton Ivanov revealed that BadRabbit is not a wiper, and in case of payment, the attackers may recover the data successfully, although with ransomware there is no guarantee that ransom payment leads to successful data recovery. Read more about ransomware recovery and ransom payment on our blog.
Bad Rabbit ransomware prevention
According to VirusTotal, some antivirus tools detected the dropper as being similar to the dropper of Diskcoder while others identified the dropper as generic malware. The majority, though could not identify the dropper or the payload as malicious. Because the dropper attacks computers via network pushing the payload – which is missed by the majority of antivirus solutions- it is critical to stop the infection as soon as it reaches the perimeter.
The best way to prevent disastrous results following the Bad Rabbit ransomware attack is to use anti-ransomware software capable of identifying and stopping this outbreak in a matter of seconds. Also, generic ransomware prevention advice applies in this case as well.
We have tested TEMASOFT Ranstop against a live attack by Bad Rabbit ransomware and recorded the results.
TEMASOFT Ranstop blocks Bad Rabbit ransomware – live attack video
As can be seen in the video, TEMASOFT Ranstop anti-ransomware blocks the Bad Rabbit ransomware attack immediately and recovers encrypted files. At the same time, it prevents the ransomware from compromising the MBR via the MBR protection feature. If attacked by this variant, downtime is zero for computers protected by TEMASOFT Ranstop.
For more information, follow us on social media and subscribe to our newsletter.