An ongoing ransomware campaign is hitting Eastern European countries with what seems to be a variant of the Petya ransomware dubbed Bad Rabbit (which we detect as RANSOM_BADRABBIT.A). Digital Age Solution utilizes Trend Micro XGen™ security products with machine learning to proactively detect this ransomware as TROJ.Win32.TRX.XXPE002FF019 without the need for a pattern update. The attack comes a few months after the previous Petya outbreak, which struck European countries back in June.
Initial reports peg the main casualties as transport systems and media outlets in Ukraine and Russia. The Ukranian arm of CERT (CERT-UA) has also issued an advisory warning of further potential ransomware attacks.
Figure 1: Bad Rabbit Infection Chain
Our initial analysis found that Bad Rabbit spreads via watering hole attacks that lead to a fake Flash installer “install_flash_player.exe”. Compromised sites are injected with a script that contains a URL that resolves to hxxp://1dnscontrol[.]com/flash_install, which is inaccessible as of the time of publication. We’ve observed some compromised sites from Denmark, Ireland, Turkey, and Russia where it delivered the fake Flash installer.
Figure 2: Code showing the injected script
Once the fake installer is clicked, it will drop the encryptor file infpub.dat using the rundll32.exe process, along with the decryptor file dispci.exe. As part of its routine, Bad Rabbit uses a trio of files referencing the show Game of Thrones, starting with rhaegal.job, which is responsible for executing the decryptor file, as well as a second job file, drogon.job, that is responsible for shutting down the victim’s machine. The ransomware will then proceed to encrypt files in the system and display the ransom note shown above.
Figure 3: Bad Rabbit ransom note showing the installation key
A third file, viserion_23.job, reboots the target system a second time. The screen is then locked, and the following note displayed:
Figure 4: Bad Rabbit ransom note displayed after system reboot
Based on our initial analysis, Bad Rabbit spreads to other computers in the network by dropping copies of itself in the network using its original name and executing the dropped copies using Windows Management Instrumentation (WMI) and Service Control Manager Remote Protocol. When the Service Control Manager Remote Protocol is used, it uses dictionary attacks for the credentials.
Bad Rabbit also spreads via the SMB file sharing protocol. It attempts to brute force any administrative shares it finds; if successful it drops a copy of itself into these shares. If these bruteforce attacks fails, it uses an exploit related to the Eternal Synergy SMB vulnerability to drop copies onto these shares. This is a divergence from the earlier Petya attacks, which used the EternalBlue vulnerability.
Among the tools Bad Rabbit reportedly incorporates is the open-source utility Mimikatz, which it uses for credential extraction. We also found evidence of it using DiskCryptor, a legitimate disk encryption tool, to encrypt the target systems.
Mitigation and Best Practices
Users can mitigate the impact of ransomware such as Bad Rabbit with the best practices utilized by Digital Age Solution’s Safe & Secure Managed Services.
Michael Kuster opened Digital Age Solution in 2005 after managing Information Technology for various government agencies for many years. Before taking on this venture full-time, he operated a web site design and hosting company, KusterNet, for a decade. After being asked by web site customers to manage and maintain their computers, KusterNet became Digital Age Solution.
Mike maintains a hands-on, active role in the management and delivery of service to customers at Digital Age Solution. Rather than sitting behind a desk, he can often be found running cable on telephone poles, fixing computers on-site, and providing one-on-one support to customers.
Mike lives in Walkersville, Maryland with his wife and three children. He actively serves as a volunteer and board member for several non-profits including 4-H, Federated Charities, and the Town of Walkersville.