Bad Rabbit Ransomware

Breakdown: Bad Rabbit Ransomware

A new ransomware outbreak is currently ongoing, infecting systems in a number of countries. Most victims can be found in Russia and Ukraine. Bad Rabbit/ BadRabbit seems to be a new strain of the NotPetya ransomware variant, seen in the outbreak earlier this summer, given similarities in the methods used to infect corporate networks.

Organizations hit by the Bad Rabbit ransomware include :

  • Interfax (Russia)
  • Kiev Metro (Ukraine)
  • Odessa Airport (Ukraine)

Countries known to host Bad Rabbit infections :

  • Bulgaria
  • Germany
  • Montenegro
  • Poland
  • Russia
  • South Korea
  • Turkey
  • Ukraine

Bad Rabbit Distribution

Malicious JavaScript

The Bad Rabbit ransomware is being distributed amongst others using a drive-by download. Popular websites have been compromised, and malicious JavaScript has been embedded in either the HTML body of websites, or .js files used.

Using the malicious Javascript, the following information is being send to malicious host 185.149.120[.]3 which seems inactive at this point in time.

  • User-Agent
  • Referrer
  • Site Cookie
  • Site Domain Name

List of compromised websites, used to distribute the ransomware:

  • hxxp://argumentiru[.]com
  • hxxp://www.fontanka[.]ru
  • hxxp://grupovo[.]bg
  • hxxp://www.sinematurk[.]com
  • hxxp://www.aica.co[.]jp
  • hxxp://spbvoditel[.]ru
  • hxxp://argumenti[.]ru
  • hxxp://www.mediaport[.]ua
  • hxxp://blog.fontanka[.]ru
  • hxxp://an-crimea[.]ru
  • hxxp://www.t.ks[.]ua
  • hxxp://most-dnepr[.]info
  • hxxp://osvitaportal.com[.]ua
  • hxxp://www.otbrana[.]com
  • hxxp://calendar.fontanka[.]ru
  • hxxp://www.grupovo[.]bg
  • hxxp://www.pensionhotel[.]cz
  • hxxp://www.online812[.]ru
  • hxxp://www.imer[.]ro
  • hxxp://novayagazeta.spb[.]ru
  • hxxp://i24.com[.]ua
  • hxxp://bg.pensionhotel[.]com
  • hxxp://ankerch-crimea[.]ru

Based on the information gathered, the server decides whether or not to show a popup, which will offer a fake Flash Player update to the user. The MD5 hash of the fake Flash Player update is FBBDC39AF1139AEBBA4DA004475E8839.

As soon as the user tries to install the fake update, the script will start downloading the ransomware dropper from domain 1dnscontrol[.]com.

After execution, the malware locks the computer and show the ransomware note to the victim. The victim will be directed to the TOR hidden service website caforssztxqzf2nm[.]onion for payment instructions. The ransomware authors ask a decryption fee of 0.05 BTC (Bitcoin).

The price will increase after a certain time threshold is being met, to push the user to pay the ransom. Whether or not payment will result in actual decryption is unknown at this point in time.

Spreading via SMB

The Bad Rabbit ransomware also has functionality to spread, using the SMB protocol. The malware will scan the internal network, searching for specific open shares in order to propagate itself over the network :

  • admin
  • atsvc
  • browser
  • eventlog
  • lsarpc
  • netlogon
  • spoolss
  • samr
  • srvsvc
  • scerpc
  • svcctl
  • wkssvc

EternalBlue Exploit

Some initial reports claim that Bad Rabbit is using the EternalBlue SMB exploit in its spreading process, similar to the method used by the NotPetya ransomware. This assumption was found to be incorrect.

Bad Rabbit User/Password Combinations

The Bad Rabbit ransomware makes use of the Mimikatz hacking tool in order to read credentials used on the infected host from memory. Also, the malware makes use of the username/admin combinations below, in order to identify possible credentials.

Usernames:
Administrator
Admin
Guest
User
User1
user-1
Test
root
buh
boss
ftp
rdp
rdpuser
rdpadmin
manager
support
work
other user
operator
backup
asus
ftpuser
ftpadmin
nas
nasuser
nasadmin
superuser
netguest
alex

Passwords:
Administrator
administrator
Guest
guest
User
user
Admin
adminTest
test
root
123
1234
12345
123456
1234567
12345678
123456789
1234567890
Administrator123
administrator123
Guest123
guest123
User123
user123
Admin123
admin123Test123
test123
password
111111
55555
77777
777
qwe
qwe123
qwe321
qwer
qwert
qwerty
qwerty123
zxc
zxc123
zxc321
zxcv
uiop
123321
321
love
secret
sex
god

In case working credentials have been identified, the malware drops the infpub.dat file in the Windows directory. Afterwards, the file is executed using scmanager and rundll.exe

Bad Rabbit Targeted File Extensions

The BadRabbit ransomware targets files with the extensions listed below for encryption :

3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.

Bad Rabbit Encryption

The Bad Rabbit ransomware makes use of DiskCryptor for encryption purposes. DiskCryptor in itself is a legitimate encryption tool used for full-disk encryption. The software generates keys using CryptGenRansom, and protected using a RSA 2048 public key. The AES-128-CBC cipher is used for encryption.

Encrypted files will get the extension .encrypted

Bad Rabbit Yara Signature

YARA is a tool used by malware researchers to identify and classify samples using pattern matching. Below a Yara signature for the Bad Rabbit ransomware, which was published by Christiaan Beek (McAfee) :

import “pe”

rule sig_8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93 {

 meta:

    description = “Bad Rabbit Ransomware”

    author = “Christiaan Beek”

    reference = “BadRabbit”

    date = “2017-10-24”

    hash1 = “8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93”

 strings:

    $x1 = “schtasks /Create /SC ONCE /TN viserion_%u /RU SYSTEM /TR \”%ws\” /ST %02d:%02d:00″ fullword wide

    $x2 = “need to do is submit the payment and get the decryption password.” fullword ascii

    $s3 = “If you have already got the password, please enter it below.” fullword ascii

    $s4 = “dispci.exe” fullword wide

    $s5 = “\\\\.\\GLOBALROOT\\ArcName\\multi(0)disk(0)rdisk(0)partition(1)” fullword wide

    $s6 = “Run DECRYPT app at your desktop after system boot” fullword ascii

    $s7 = “Enter password#1: ” fullword wide

    $s8 = “Enter password#2: ” fullword wide

    $s9 = “C:\\Windows\\cscc.dat” fullword wide

    $s10 = “schtasks /Delete /F /TN %ws” fullword wide

    $s11 = “Password#1: ” fullword ascii

    $s12 = “\\AppData” fullword wide

    $s13 = “Readme.txt” fullword wide

    $s14 = “Disk decryption completed” fullword wide

    $s15 = “Files decryption completed” fullword wide

    $s16 = “http://diskcryptor.net/” fullword wide

    $s17 = “Your personal installation key#1:” fullword ascii

    $s18 = “.3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.” wide

    $s19 = “Disable your anti-virus and anti-malware programs” fullword wide

    $s20 = “bootable partition not mounted” fullword ascii

 condition:

    ( uint16(0) == 0x5a4d and

      filesize < 400KB and

      pe.imphash() == “94f57453c539227031b918edd52fc7f1” and

      ( 1 of ($x*) or 4 of them )

    ) or ( all of them )

}

Bad Rabbit URL Requests

caforssztxqzf2nm[.]onion

185.149.120[.]3/scholargoogle/

1dnscontrol[.]com/flash_install.php

1dnscontrol[.]com/index.php

Bad Rabbit Sample Analysis

https://www.hybrid-analysis.com/sample/630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da?environmentId=100

Bad Rabbit SHA256 Hashes

682adcb55fe4649f7b22505a54a9dbc454b4090fc2bb84af7db5b0908f3b7806

8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93

630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

2f8c54f9fa8e47596a3beff0031f85360e56840c77f71c6a573ace6f46412035

301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

1a628c74398706fd4319ffb958b1099d85bb6373f0742d67ae2a24caf68bf457

Bad Rabbit Detections

F-Secure – Trojan:W32/Rabbad.B

Microsoft – Ransom:Win32/Tibbar.A

Symantec – Ransom.BadRabbit

TrendMicro – Ransom_BADRABBIT.A

Bad Rabbit Payment Information

The BadRabbit ransomware authors use the following Bitcoin Wallets for payment purposes :

1GxXGMoz7HAVwRDZd7ezkKipY4DHLUqzmM

17GhezAiRhgB8DGArZXBkrZBFTGCC9SQ2Z

As can be seen on the blockchain, no decryption ransoms seem to have been paid. Three transactions have been received, all for smaller amounts compared to the 0.05 BTC asked for decryption.

https://blockchain.info/address/1GxXGMoz7HAVwRDZd7ezkKipY4DHLUqzmM

https://blockchain.info/address/17GhezAiRhgB8DGArZXBkrZBFTGCC9SQ2Z

Bad Rabbit Kill-Switch Functionality

The Bad Rabbit ransomware offers a kill switch functionality using which the encryption process of the ransomware can be stopped. The ransomware checks for the presence of the following read-only file :

C:\windows\infpub.bat

If the file is present in the folder, the files will not be encrypted.

Please remember that the kill switch will not prevent the malware from propagating over the network, using SMB, to infect others hosts.

Our advice:

  • Do not download unexpected Adobe Flash Updates
  • For home users, run windows update
  • Monitor TOR activity
  • Make sure you have a working backup of your most important files

Alternatively:

  • Segregate your network
Back to overview