The ransomware strain known as Bad Rabbit first surfaced in 2017 and was at first thought to be a possible replacement for Petya/NotPetya. On the other hand, Bad Rabbit Ransomware has a different code base and most likely comes from a different developer, even though it uses some of the same operational strategies as Petya/NotPetya. The ransom note is Tor-based. onion website is where the malware gets its moniker.
One of the least expensive ransomware extortions is Bad Rabbit Ransomware, which initially demanded 0.05 BTC for ransom (roughly $400 in 2017). To compel victims to make quick payments, the ransom note additionally includes a 40-hour countdown.
The Ukrainian Ministry of Infrastructure, the Odesa International Airport, and the Kyiv mass transit system were among the targets of the first attacks using Bad Rabbit Ransomware, which was used against Russian news agencies like Fontaka and Interfax. Compared to US organizations, Bad Rabbit has had a comparatively smaller impact on Bulgaria, Turkey, Germany, and Japan.
Contents
How Bad Rabbit Ransomware Works?
Different distribution strategies are used in Bad Rabbit’s campaigns.
- A drive-by watering hole download forces users of compromised websites to install a fraudulent version of Adobe Flash Player.
- Install_flash_player.exe is the usual installer, and it uses a forged signed certificate that is signed with the name “Symantec Corporation.”
- Upon execution, the malevolent dropper starts the initial phase of Bad Rabbit, importing and installing multiple files before launching the primary payload.
When installed, Bad Rabbit performs the following functions:
It kills a preset list of IT security products and searches for active processes using the process name’s hash.
- Installs a copy of the official DiskCryptor executable into a file called cscc.dat, after which the target’s files are encrypted.
- Imports the infpub.dat file as its primary payload.
- Makes a file called dispaci.exe, plans a task to run the primary payload on the subsequent reboot, and then reboots
- The primary payload starts encrypting files after rebooting.
- Aims to locate SMB credentials on the target’s computer, utilize Mimikatz to self-propagate laterally using both the hardcoded and stolen SMB credentials that are frequently used and take advantage of the EternalRomance SMBv1 vulnerability.
- Copies a malicious kernel to boot at the end of the target’s hard drive, overwrites the Master Boot Record (MBR) of the compromised system and installs its own bootloader—akin to Petya malware.
- Restarts the compromised system, triggering the Bad Rabbit kernel to boot from the modified MBR and displaying a ransom note on the screen.
Warning Indications of a Negative Rabbit Attack
The majority of ransomware strains append a unique identifier to every encrypted file; however, Bad Rabbit appends encrypted data to encrypted files. Furthermore, the primary command and control (C2) server used by the malware is the 1dnscontrol.com domain; however, this could be proxied through compromised websites. A countdown timer gives the extortion campaign of Bad Rabbit more urgency than that of Petya/NotPeyta, despite the note’s resemblance.
Additionally, Bad Rabbit generates files in the C:\Windows\ folder with the names infpub.dat,dispci.exe, and cscc.dat and creates scheduled task names that allude to the Game of Thrones, such as legal, drones, vision, and dragon. To locate endpoints and network activity linked to Bad Rabbit, Yara rules are made accessible to the general public.
In what ways you can prevent a Bad Rabbit Attack
Even conventional antivirus software can detect Bad Rabbit because it has not received regular updates and has a relatively static payload. The ransomware can only infect unpatched Windows 7 systems because the Windows OS vulnerability that BadRabbit exploits has been patched. Several workarounds that can stop a Bad Rabbit attack have been discovered for legacy systems that cannot have updates or antivirus software installed, albeit they do not provide comprehensive protection against other types of malware.
- Turn down Windows Management Instrument (WMI) to stop Bad Rabbit from abusing it.
- Ensure that the files C:\Windows\infpub.dat and C:\Windows\cscc.dat are not executed, or make those files in the same directory, to prevent Bad Rabbit from running.
Images, compressed and backup files, virtual machines and virtual hard discs, documents, and other scripting language files are among the common file extensions that Bad Rabbit targets. Bad Rabbit encrypts files using the AES-128 cipher and then uses a hardcoded RSA-2048-bit public key to further encrypt the AES symmetric key.