Widespread Bad Rabbit Ransomware Drive-By Attacks Reported

Over the past 24 hours, there have been hundreds of reports of cyberattacks involving Bad Rabbit ransomware – A new ransomware variant with similarities to both NotPetya and HDDCryptor. NotPetya was used in widespread attacks in June, and was a wiper rather than ransomware. HDDCryptor was the ransomware variant that encrypted the San Francisco Muni’s system in November 2016.

Many of the NotPetya attacks occurred via a compromised accountancy software update. The Bad Rabbit attacks also use a supposed software update for infection. The attacks so far have involved a fake Flash Player update in a drive-by download attack.

Rather than use malvertising to direct users to malicious websites where the ransomware is downloaded, the actors behind this campaign have hacked legitimate websites and loaded malicious JavaScript, which displays a warning to urgently update Flash Player. Responding to that warning will see an executable downloaded – install_flash_player.exe – which installs the ransomware.

The ransomware cannot execute without any user interaction. The user must execute the flash player update for the ransomware to be installed. All of the attacks so far are understood to have involved drive-by downloads from legitimate media and news websites. Sites in Russia, Denmark, and Ireland are known to have been compromised and are being used to display the Flash Player warnings.

Bad Rabbit ransomware uses AES encryption for files, and then encrypts the keys with a RSA-2048 public key. After files have been encrypted, the Master Boot Record (MBR) is replaced and the infected computer is rebooted. The infected device displays a ransom note which asks for a payment of 0.5 Bitcoin ($280) to be made within 40 hours. The ransom amount will increase if the deadline for payment is missed.

Bad Rabbit ransomware is also capable of spreading rapidly within a network and infecting multiple devices. The WannaCry ransomware attacks in May also saw infections spread laterally. Rather than use the NSA’s ETERNALBLUE exploit that was used by WannaCry, the Bad Rabbit ransomware includes hardcoded credentials that are used over SMB to infect other devices. Additionally, Mimikatz is used to harvest credentials from compromised devices which are then used via SMB.

The new malware variant has claimed more than 200 victims, including the Kiev Metro, Odessa International Airport, Russian news agencies Interfax and Fontanka, and the Ministry of Infrastructure of Ukraine. Attacks appear to be concentrated in Russia and Ukraine, although they have spread to Europe – Turkey, Bulgaria, and Germany – and Japan.

ESET and Kaspersky Lab have published IOCs, with the latter suggesting an easy way to block Bad Rabbit attacks.

The ransomware creates two files on installation – C:\windows\infpub.dat and C:\Windows\cscc.dat – Kaspersky Lab suggests restricting execution of files with those paths.

It has also been suggested that creating those two files, in those locations, and removing read, write, and execute permissions on the files will also prevent the ransomware from encrypting files. Businesses should also send out a warning email to employees about Bad Rabbit ransomware, instructing them not to download Flash Player updates.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news