<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1018517621595528&amp;ev=PageView&amp;noscript=1">
Security Alert
Jonathan Crowe
Oct 2017

Everything You Need to Know About BadRabbit

Photo by Ryan McGuire

Key Details

  • What's happening: Another ransomware outbreak spread through Eastern Europe this week. Victims were heavily concentrated in Russia and Ukraine, though infections have also been spotted in Germany, Turkey, Bulgaria, and even the United States.
  • Update: The outbreak is seemingly over with the attackers shutting down the infrastructure behind it just one day after it began.
  • "BadRabbit" has similarities to NotPetya: It's designed to overwrite the Master Boot Record on infected machines, making them unusable. Unlike, NotPetya, the malware does appear to be working ransomware, not a wiper.
  • True outbreak or series of highly targeted attacks? Researchers believe many of the infected organizations may have been specifically targeted, and that the fake Adobe Flash updates spotted delivering the ransomware are likely more of a decoy. If correct, that means the scope of the attack is far more narrow than the NotPetya and WannaCry outbreaks, and that the majority of U.S. organizations are likely safe, at least for now.
  • empty
  • empty
  • empty
  • empty

Four months after the "NotPetya" ransomware outbreak wreaked havok in Ukraine and other countries, a new strain of ransomware called "BadRabbit" has struck Eastern European organizations yet again. 

As with the NotPetya attacks, early reports on BadRabbit have included vague and, in some cases, conflicting information. Now that some of the initial dust is beginning to settle, let's take a look at what we definitively know so far.

What is BadRabbit?

badrabbit-ransom-screen.gif

BadRabbit ransomw screen. Source: WCCFTech

BadRabbit is a new strain of ransomware discovered on Tuesday, October 25 after infecting a variety of organizations based primarily in Russia and Eastern Europe. In addition to encrypting files on an infected computer, it also encrypts the disk, preventing the computer from starting up correctly and making it essentially unusable. 

BadRabbit bears signficant resemblence to previous disk-encrypting malware Petya and NotPetya (later determined to be a wiper, not ransomware), leading some researchers to believe it's the next iteration of those variants. 

BadRabbit currently demands 0.05 Bitcoin, or roughly $273 USD, though some researchers suggest the attacks may have been more politically motivated than purely financially driven, with the ultimate goal being disruption to specific corporations and organizations. 

Who is getting infected? 

BadRabbit_infection_Map.png

BadRabbit ransomw screen. Source: WCCFTech

So far, infections have been concentrated in Russia and Eastern Europe. One of the first victims to announce it had been attacked was Russian business newswire Interfax. According to Russian cybersecurity firm Group-IB, multiple Russian media outlets were also infected by BadRabbit. 

Additional victims included several Ukrainian institutions, including the Odessa International Airport, the Kiev Metro system, and the Ministry of Infrastructure. 

Here's what the global distribution of infections looks like according to ESET:

  • Russia: 65%
  • Ukraine: 12.2%
  • Bulgaria: 10.2%
  • Turkey: 6.4%
  • Japan: 3.8%
  • Other: 2.4%

How is BadRabbit getting delivered?

Researchers have confirmed one way the infections start is by users downloading and running fake Adobe Flash updates. 

The user has to manually execute the update file once it's downloaded to the desktop, and the malware has to be run with admin privileges. If those conditions are met, the infection is officially underway.

Some researchers are skeptical of the fake Flash updates, however, and point to the number of successful infections on critical infrastruture in such a small amount of time as an indicator the attacks may have been targeted instead of left to chance. If that is the case, the fake Flash updates may just be a decoy for other, more stealthy and advanced attack vectors. 

An alert from the Ukrainian Computer Emergency Response Team indicated some infections may have started via attacks that leveraged Microsoft's Dynamic Data Exchange feature — a technique that's been gaining significant traction over the past few weeks. 

As of now, however, the only infection vector that has been confirmed is the fake Adobe Flash updates, so be on the lookout.  

How does BadRabbit work?

There are five core components of BadRabbit, as illustrated in this great graphic put together by Mandiant's Nick Carr:

In case how the attack works isn't 100% clear from Carr's graphic, let's breakdown the components and how they're used in a little more detail:
  • Component 1: The dropper
    First, there's the dropper (the fake Flash update — install_flash_player.exe 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da).

  • Component 2: The primary payload
    Once the dropper is executed it deploys the primary payload (infpub.dat 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648), which is launched by rundll32.exe. Its job is to conduct the file encryption and drop the additional attack components which will be executed later via several scheduled tasks with some rather fanciful names:

    • Rhaegar (launches dispci.exe, which installs the bootlocker)
    • Viserion 
    • Drogon (reboots the system)

(yes, the attackers behind BadRabbit apparently like Game of Thrones)

via GIPHY

Thanks to Any.Run you can also see a video of the attack in action here. 

How does BadRabbit spread?

While two leaked NSA exploits (EternalBlue and EternalRomance) were used to drive NotPetya's spread across the globe, early reports on BadRabbit indicated no exploits were used. 

However, further research from Cisco's Talos Group confirmed that EternalRomance had in fact been employed. 

EternalRomance is a remote execution exploit designed to take advantage of vulnerability CVE-2017-0144 (which Microsoft patched in March) on systems running Windows XP to 2008. According to Talos researchers, "BadRabbit includes an EternalRomance implementation used to overwrite a kernel’s session security context to enable it to launch remote services," allowing it to infect new machines.

In addition, once it lands on a vulnerable machine, BadRabbit makes two different attempts at lateral movement.

The first is deploying a modified version of Mimikatz to dump credentials and see if they grant the malware access to any other computers on the network. Once access is obtained, BadRabbit abuses the Windows Management Instrumentation command line (wmic.exe) to deploy copies of itself on the remote machines. 

In addition to using Mimikatz, however, BadRabbit also comes equipped with a hard-coded list of common usernames and passwords in order to conduct a dictionary attack and brute force access to remote machines. 

badrabbit_usernames_passwords.png

BadRabbit list of hard-coded usernames and passwords. Source: Malwarebytes

Protecting your company from BadRabbit

The good news is, after just a day of operation, it already looks like the servers, websites, and other infrastructure behind the BadRabbit attacks are already shut down (though the payment site is apparently still up and running). It could be that the attention the ransomware was generating was making the attackers uncomfortable, the attack was actually more of a test, or it could be that the primary mission of the attacks had already been accomplished. 

Either way, there are still things you can do to help ensure your organization is protected the next time an attack like this breaks out. 

  1. Utilize endpoint security with behavior-based protection built in. Solutions like Barkly can help ensure malicious programs and processes get blocked even if a new type of malware gets past traditional file scanning. 

  2. Don't grant users admin privileges. Since the dropper had to be run with admin privileges, this simple measure could help prevent a BadRabbit infection from getting started in the first place.
Jonathan Crowe

Jonathan Crowe

Jonathan covers the latest threats and cybersecurity trends from a practical point of view.

blocks-attack-grey-circle.svg

2017 Malware Trends in Review

How attacks are evolving and what to expect next.

Get my report

Comments

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.