What's happening: Another ransomware outbreak spread through Eastern Europe this week. Victims were heavily concentrated in Russia and Ukraine, though infections have also been spotted in Germany, Turkey, Bulgaria, and even the United States.
"BadRabbit" has similarities to NotPetya:It's designed to overwrite the Master Boot Record on infected machines, making them unusable. Unlike, NotPetya, the malware does appear to be working ransomware, not a wiper.
True outbreak or series of highly targeted attacks?Researchers believe many of the infected organizations may have been specifically targeted, and that the fake Adobe Flash updates spotted delivering the ransomware are likely more of a decoy. If correct, that means the scope of the attack is far more narrow than the NotPetya and WannaCry outbreaks, and that the majority of U.S. organizations are likely safe, at least for now.
Four months after the "NotPetya" ransomware outbreak wreaked havok in Ukraine and other countries, a new strain of ransomware called "BadRabbit" has struck Eastern European organizations yet again.
As with the NotPetya attacks, early reports on BadRabbit have included vague and, in some cases, conflicting information. Now that some of the initial dust is beginning to settle, let's take a look at what we definitively know so far.
BadRabbit is a new strain of ransomware discovered on Tuesday, October 25 after infecting a variety of organizations based primarily in Russia and Eastern Europe. In addition to encrypting files on an infected computer, it also encrypts the disk, preventing the computer from starting up correctly and making it essentially unusable.
BadRabbit bears signficant resemblence to previous disk-encrypting malware Petya and NotPetya (later determined to be a wiper, not ransomware), leading some researchers to believe it's the next iteration of those variants.
BadRabbit currently demands 0.05 Bitcoin, or roughly $273 USD, though some researchers suggest the attacks may have been more politically motivated than purely financially driven, with the ultimate goal being disruption to specific corporations and organizations.
So far, infections have been concentrated in Russia and Eastern Europe. One of the first victims to announce it had been attacked was Russian business newswire Interfax. According to Russian cybersecurity firm Group-IB, multiple Russian media outlets were also infected by BadRabbit.
The user has to manually execute the update file once it's downloaded to the desktop, and the malware has to be run with admin privileges. If those conditions are met, the infection is officially underway.
Some researchers are skeptical of the fake Flash updates, however, and point to the number of successful infections on critical infrastruture in such a small amount of time as an indicator the attacks may have been targeted instead of left to chance. If that is the case, the fake Flash updates may just be a decoy for other, more stealthy and advanced attack vectors.
Component 2: The primary payload Once the dropper is executed it deploys the primary payload (infpub.dat579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648), which is launched by rundll32.exe. Its job is to conduct the file encryption and drop the additional attack components which will be executed later via several scheduled tasks with some rather fanciful names:
Rhaegar (launches dispci.exe, which installs the bootlocker)
Drogon (reboots the system)
(yes, the attackers behind BadRabbit apparently like Game of Thrones)
Component 5: Mimikatz In addition to encrypting the files and disk on the original victim machine, the BadRabbit payload also attempts to spread laterally across compromised networks. One of the ways it does that is by running a modified version of Mimikatz to dump credentials. BadRabbit then tries to use those credentials to access other machines on the network. More on this aspect of the attack below...
EternalRomance is a remote execution exploit designed to take advantage of vulnerability CVE-2017-0144 (whichMicrosoft patched in March) on systems running Windows XP to 2008. According to Talos researchers, "BadRabbit includes an EternalRomance implementation used to overwrite a kernel’s session security context to enable it to launch remote services," allowing it to infect new machines.
In addition, once it lands on a vulnerable machine, BadRabbit makes two different attempts at lateral movement.
In addition to using Mimikatz, however, BadRabbit also comes equipped with a hard-coded list of common usernames and passwords in order to conduct a dictionary attack and brute force access to remote machines.
BadRabbit list of hard-coded usernames and passwords.Source: Malwarebytes
Protecting your company from BadRabbit
The good news is, after just a day of operation, it already looks like the servers, websites, and other infrastructure behind the BadRabbit attacks are already shut down (though the payment site is apparently still up and running). It could be that the attention the ransomware was generating was making the attackers uncomfortable, the attack was actually more of a test, or it could be that the primary mission of the attacks had already been accomplished.
Either way, there are still things you can do to help ensure your organization is protected the next time an attack like this breaks out.
Utilize endpoint security with behavior-based protection built in. Solutions like Barkly can help ensure malicious programs and processes get blocked even if a new type of malware gets past traditional file scanning.
Don't grant users admin privileges. Since the dropper had to be run with admin privileges, this simple measure could help prevent a BadRabbit infection from getting started in the first place.