What is Bad Rabbit?
Bad Rabbit is a previously unknown ransomware family. On October 24th Kaspersky security team had observed notifications of mass attacks with ransomware called Bad Rabbit. It has been targeting organizations and consumers, mostly in Russia but there have also been reports of victims in Ukraine. Here is what a ransom message looks like for the unlucky victims:
Image Credit: SecureList - Bad Rabbit Ransomware Message
How is Bad Rabbit distributed?
The ransomware dropper is distributed with the help of drive-by attacks. While the target is visiting a legitimate website, a malware dropper is being downloaded from the threat actor’s infrastructure. No exploits are used, so the victim would have to manually execute the malware dropper, which pretends to be an Adobe Flash installer.
Whom does it target?
Most of the targets are located in Russia. Similar but fewer attacks have also been seen in other countries – Ukraine, Turkey and Germany.
What are the behaviours & technical details with Bad Rabbit?
The ransomware dropper is distributed from hxxp://1dnscontrol[.]com/flash_install.php. Victims are redirected to this malware web resource from legitimate news websites to downloaded file named install_flash_player.exe, which needs to be manually launched by the victim. To operate correctly, it needs elevated administrative privileges, which it attempts to obtain using the standard UAC prompt. If started, it will save the malicious DLL as C:\Windows\infpub.dat and launch it using rundll32.
infpub.dat appears to be capable of brute-forcing NTLM login credentials to Windows machines that have pseudo-random IP addresses.
infpub.dat will also install the malicious executable dispci.exe into C:\Windows and create a task to launch it.
infpub.dat acts as a typical file encrypting ransomware: it finds the victim’s data files using an embedded extension list and encrypts them using the criminal’s public RSA-2048 key.
Indicators of Compromise:
fbbdc39af1139aebba4da004475e8839 – install_flash_player.exe
1d724f95c61f1055f0d02c2154bbccd3 – C:\Windows\infpub.dat
b14d8faf7f0cbcfad051cefe5f39645f – C:\Windows\dispci.exe
What is the counter measure to defend against Bad Rabbit?
The below mentioned counter measures should be sufficient to defend against Bad Rabbit:
• restricting execution of files with the paths C:\windows\infpub.dat C:\Windows\dispci.exe and C:\Windows\cscc.dat in the Endpoint Security software.
• configuring and enabling Default Deny mode in the Application Control component of Endpoint Security to ensure and enforce proactive defense against this and other ransomware attacks.