Tracking the Bad Rabbit

A new ransomware campaign dubbed “Bad Rabbit” has hit a number of high profile targets in Russia and Eastern Europe. First detected on October 24^th, 2017, Bad Rabbit was originally detected in Russia and Ukraine, along with a small number of infections reported in parts of eastern Europe, Turkey, and Germany. However, the attack now appears to be spreading to other regions, including reports from South Korea and the US.

It has been confirmed that this attack infected several news media agencies in Russia, including knocking the Russian news agency Interfax offline. In addition, a number of public transportation organizations, including the Odessa International Airport and the Kiev Metro in the Ukraine, have also been affected. There is currently no clear indication as to who is responsible for this attack.

The initial threat vector is through users installing malicious copies of Flash Player obtained through infected websites or watering hole attacks. Users are tricked into opening up an .exe file and then launching the ransomware application. The malware then attempts to steal Windows cached user credentials (username and passwords) and encrypt user files. Unlike other known ransomware, this malware does not rename or change the filename of the files it encrypts.

The payload may be a variant of Petya, and once executed it begins to encrypt data files on the computer and network shares before displaying the ransom note. The ransomware demands the payment of 0.05 Bitcoins, or about US$275, to unlock the encrypted files.

Figure 1. Bad Rabbit Ransom Note

This malware may also drop any or all of the following files: 

• %Windows%\cscc.dat : This file is a Disk encrypting utility, originally known as dcrypt.sys that was developed by ReactOS.
• %Windows%\dispci.exe : This file is detected as W32/Diskcoder.D!tr.ransom.
• %Windows%\infub.dat : This file is detected as W32/Diskcoder.D!tr.ransom.
• %Desktop%\DECRYPT.lnk : This is a shortcut file to dispci.exe.
• %RootDir%\Readme.txt : This text file contains the ransom note.

This malware was also observed to issue the following WebDav commands:

• OPTIONS /admin$
• PROPFIND /admin$

During tests in our FortiGuard Labs facilities, we also observed this malware attempt to enumerate various IPs within the same subnet. One possible reason for this behavior is that the malware may be searching for an internal IP that is a valid web server. In addition, the payload also attempted to move laterally across the network to find and infect other vulnerable devices.

This attack has attracted a lot of media attention, primarily because of some similarities to the widespread WannaCry and Petya attacks last spring (such as its use of SMB [Server Message Block].) Unlike those malware infections, however, Bad Rabbit does not target the Eternal Blue or DoublePulsar vulnerability.

Fortinet is currently detecting minimal spread of this malware. This may change as the malware spreads to Europe and North America where we have a larger density of honeypots and research sensor nodes. We will keep you posted with updates, along with a detailed analysis of this attack as new information comes to light.

Solution:

Fortinet’s AV/Malware engine is detecting all versions of the known malware through the W32/Diskcoder.D!tr.ransom signature. Additionally, Fortinet Web Filtering and DNS engines are blocking known C&C (command and control) servers.

IOCs:

%Windows%\cscc.dat                    Dropper

%Windows%\dispci.exe                 Dropper

%Windows%\infub.da                    Dropper

%Desktop%\DECRYPT.lnk            Shortcut to dispci.exe

1dnsconrol[.].com                           Possible C&C server

Sign up for our weekly FortiGuard intel briefs or to be a part of our open beta of Fortinet’s FortiGuard Threat Intelligence Service.

For more information on ransomware threats, download our guide to read about how to close gaps to stop ransomware and other threats in general.