Bad Rabbit ransomware, apparently modeled on NotPetya, has hit a number of organizations across Russia, Ukraine, and Eastern Europe on Tuesday.
Russian security outfit Group-IB was among the first ones who flagged the attack.
“Amongst victims, this affected computers and servers of the Kiev metro, the Ministry of Infrastructure and Odessa International Airport, as well as a number of state organisations in the Russian Federation. Victims in the Russian Federation included Federal news sites and commercial organisations. Infections have also been reported in Bulgaria, Japan, Turkey and Germany,” the company noted.
The Ukrainian CERT has issued an alert, saying that the Odessa airport and Kiev subway are among Bad Rabbit’s victims.
Bad Rabbit ransomware attack progression
It all started with compromised news websites:
#BadRabbit was spread via web traffic from compromised media sites. #infosec #ransomware #cryptor pic.twitter.com/7GPsgZ2s3A
— Group-IB (@GroupIB_GIB) October 24, 2017
They were made to serve the malware masquerading as a Flash Player update (install_flash_player.exe).
“Once the fake installer is clicked, it will drop the encryptor file infpub.dat using the rundll32.exe process, along with the encryptor and decryptor file dispci.exe. As part of its routine, Bad Rabbit uses a trio of files referencing the show Game of Thrones, starting withrhaegal.job, which is responsible for executing the decryptor file, as well as a second job file, drogon.job, that is responsible for shutting down the victim’s machine,” Trend Micro researchers explained.
A third file, viserion_23.job, reboots the target system a second time, and this is when the ransom note is finally shown.
How Bad Rabbit spreads
“Based on our initial analysis, Bad Rabbit spreads to other computers in the network by dropping copies of itself in the network using its original name and executing the dropped copies using Windows Management Instrumentation (WMI) and Service Control Manager Remote Protocol. When the Service Control Manager Remote Protocol is used, it uses dictionary attacks for the credentials,” Trend Micro researchers shared.
The malware apparently users the legitimate, open-source tool Mimikatz to extract credentials that will allow it to propagate through the network. It also has a module for spreading via SMB protocol.
Group-IB researchers say that Bad Rabbit is a modified version of NotPetya, the ransomware that hit many businesses and government entities in Ukraine and around the world in June 2017.
Unlike NotPetya, it does not exploit vulnerabilities to hop from one networked system to another.
Kaspersky Lab says that they’ve seen almost 200 targets, predominantly in Russia, and that the attack started on the morning of October 24, but tapered off by midday.
They also believe that this newest attack was likely mounted by the same individual/group that launched the NotPetya attack, and that it was planned since July 2017.
“After the June NotPetya outbreak, the company’s analysts found that one Ukrainian news site, Bahmut.com.ua, had been hacked to deliver the malware, along with dozens of other sites that were similarly corrupted—but hadn’t yet been activated to start infecting victims. Now Kaspersky has found that 30 of those hacked sites began to distribute the Bad Rabbit malware on Tuesday,” Wired reported.
Bad Rabbit encrypts a wide variety of files, and uses DiskCryptor, a legitimate disk encryption tool, to encrypt the target systems.
The attackers are asking for 0,05 bitcoin in exchange for the key that will decrypt the files, but there is no guarantee victims will receive it if they pay the ransom, or that it will work.
Many security solutions are detecting the malware now, but security companies advise on additional actions that can be taken to block it and/or stop the infection from spreading:
- Block the execution of files c:\windows\infpub.dat and c:\Windows\cscc.dat
- Block the IP addresses and domain names associated with the threat
- Restrict Scheduled Tasks: viserion_, rhaegal, drogon
- Disable the WMI service (if possible).
Group-IB also shared a simple solution for preventing the malware from encrypting files: create a read-only file C:\windows\infpub.dat.