Background

Bad Rabbit was discovered by researchers from Kaspersky Lab and ESET on the 24th October 2017.

There have been reports of Bad Rabbit hitting corporate networks in Ukraine and Russia, and appeared to be spreading to other countries. Bad Rabbit shares some similarities to the NotPetya outbreak in June 2017, but it different.

Host infection techniques are usually through a click-and-infect method by tricking victims to download and execute a fake Adobe Flash Installer when they visit compromised websites.

Following which, the code uses EternalRomance – a remote code execution exploit that spreads through networks connected to the infected host via Windows File Sharing protocol and enabling remote code execution on Windows Clients and Servers.

Known Compromised Websites

The following websites are currently known to be hosting and spreading the Bad Rabbit Ransomware:

  • argumentiru[.]com
  • www.fontanka[.]ru
  • grupovo[.]bg
  • www.sinematurk[.]com
  • www.aica[.]co[.]jp
  • spbvoditel[.]ru
  • argumenti[.]ru
  • www.mediaport[.]ua
  • blog.fontanka[.]ru
  • an-crimea[.]ru
  • www.t.ks[.]ua
  • most-dnepr[.]info
  • osvitaporta[.]com
  • www.otbrana[.]com
  • calendar.fontanka[.]ru
  • www.grupovo[.]bg
  • www.pensionhotel[.]cz
  • www.online812[.]ru
  • www.imer[.]ro
  • novayagazeta.spb[.]ru
  • i24[.]com
  • bg.pensionhotel[.]com
  • ankerch-crimea[.]ru

Impact

Bad Rabbit, like any other ransomware encrypts files and effectively prevents anyone from accessing the data stored within.

Data residing on infected hosts may be lost.  This ransomware encrypts commonly used data files including Office documents and digital media content such as audio and movie files.

A ransom note will be displayed on the infected machines.

The victim is expected to pay 0.05 bitcoin (estimated to be about USD$285 at current rate) as ransom to unlock their data.

Recommendation

AtomIT recommends good security practices generally to prevent threats like this.  Some of the controls are:

  • Have good internet controls which automatically blacklists bad domains or websites.
  • Have good internal controls through security policies by disabling unnecessary protocols.
    • File Sharing in this instance was used to propagate the ransomware.
  • Have good internal controls though security policies by controlling credentials used to access necessary protocols.
    • Windows Management Instrumentation (WMI) using well known credentials in this case was used to execute the ransomware.
  • Have good patch management process that ensures patches are updated regularly.
    • In particular, security update (MS17-010) was released in March 2017 to address the known exploit.
  • Have good anti-virus software on your digital assets.

What to do if your machine is infected:

For more advanced users, you may adopt the following technical measures:

  • Block the execution of files c:windowsinfpub.dat and c:Windowscscc.dat.
  • Disable WMI service (if it’s possible in your environment) to prevent the malware from spreading over your network.
  • To better protect yourself from ransomware, please visit https://www.nomoreransom.org/en/index.html.

References

https://www.kaspersky.com/blog/bad-rabbit-ransomware/19887/
https://malwaretips.com/threads/bad-rabbit-ransomware-attack-hits-russia-ukraine.76488/
https://thehackernews.com/2017/10/bad-rabbit-ransomware-attack.html
https://www.darkreading.com/attacks-breaches/bad-rabbit-ransomware-attacks-rock-russia-ukraine—and-beyond/d/d-id/1330208?piddl_msgorder=asc
https://www.cybereason.com/blog/cybereason-researcher-discovers-vaccine-for-badrabbit-ransomware