What Is Bad Rabbit Ransomware?
Bad Rabbit is a ransomware strain that emerged in 2017 and was initially considered a potential successor to Petya/NotPetya. However, although it shares several operational techniques with Petya/NotPetya, Bad Rabbit has a distinct code base and is likely from a separate developer. The malware gets its name from its ransom note and Tor-based .onion website. Bad Rabbit initially demands 0.05 BTC for ransom (approximately $400 in 2017), making it one of the lowest-priced ransomware extortions. Its ransom note also includes a 40-hour countdown to coerce targets to pay swiftly.
When it first emerged, Bad Rabbit was used in attacks against Russian news agencies, including Fontaka and Interfax, as well as Ukrainian targets, such as the Ukrainian Ministry of Infrastructure, the Odesa International Airport, and the mass transit system in Kyiv. Bad Rabbit has disproportionately impacted Bulgaria, Turkey, Germany, and Japan and has a lesser impact on US organizations.
Bad Rabbit’s campaigns use distinct distribution tactics.
A watering hole drive-by download prompts visitors of infected websites to install a fake Adobe Flash Player update
The installer, typically named install_flash_player.exe, uses a fake signed certificate with the name “Symantec Corporation”
When executed, the malicious dropper executes the first stage of Bad Rabbit, which imports and installs several additional files and then executes the main payload
Once installed, Bad Rabbit does the following:
- Searches for running processes using the hash of the process name and kills a predefined list of IT security products
- Installs a copy of the legitimate DiskCryptor executable into a file named cscc.dat which later encrypts the target’s files
- Imports its main payload named infpub.dat
- Creates a file named dispci.exe, schedules a task to execute the main payload at the next reboot, and then reboots
- Upon reboot, the main payload proceeds to encrypt files
- Attempts to identify SMB credentials stored on the target’s system and self-propagate laterally using Mimikatz with both the stolen and hardcoded commonly used SMB credentials, as well as exploit the EternalRomance SMBv1 vulnerability
- Overwrites the infected system’s Master Boot Record (MBR) and installs its own bootloader (similar to Petya malware), and copies a malicious kernel to boot at the end of the target’s hard-drive
- Reboots the infected system, causing the modified MBR to boot the Bad Rabbit kernel, displaying a ransom note on-screen
Bad Rabbit targets files by common file extensions for documents, compressed and backup files, virtual machine and virtual hard disks, images, and other scripting language files. Bad Rabbit uses the AES-128 cipher to encrypt files and then further encrypts the AES symmetric key with a hardcoded RSA-2048-bit public key.
Signs of a Bad Rabbit Attack
While most ransomware strains append a distinct identifier to the end of each encrypted file, Bad Rabbit appends encrypted to encrypted files. Also, the malware uses the 1dnscontrol.com domain as its primary command and control (C2) server, but this may be proxied through infected websites. The Bad Rabbit ransom note resembles Petya/NotPeyta’s but with a countdown timer adding urgency to its extortion campaign.
Bad Rabbit also creates scheduled task names that reference Game of Thrones, e.g., rhaegal, dronos, viserion, and drogon, and creates files named infpub.dat, dispci.exe, and cscc.dat in the C:\Windows\ folder. Yara rules are publicly available to identify endpoint and network activity associated with Bad Rabbit.
How to Prevent a Bad Rabbit Attack
Bad Rabbit has not received continuous updates, and its payload is relatively static, allowing even traditional antivirus products to detect it. Also, the vulnerability BadRabbit exploits has been patched in Windows OS, meaning the ransomware can only infect unpatched Windows 7 systems. Although not a broad mitigation for other forms of malware, several workarounds capable of preventing a Bad Rabbit attack have been found for legacy systems that cannot get updates or antivirus installed.
- Disable Windows Management Instrument (WMI) to prevent its abuse by Bad Rabbit
- Forbid the execution of files named C:\Windows\infpub.dat and C:\Windows\cscc.dat, or create those files in the same location, stopping Bad Rabbit from execution