A new ransomware strain named Bad Rabbit is wreaking havoc in many Eastern European countries, affecting both government agencies and private businesses alike.
At the time of writing, the ransomware has hit countries such as Russia, Ukraine, Bulgaria, and Turkey.
Confirmed victims include the Odessa airport in Ukraine, the Kiev subway system in Ukraine, the Ukrainian Ministry of Infrastructure, and three Russian news agencies, including Interfax and Fontanka. Ukraine's CERT team has posted an alert and is warning Ukrainian businesses about this new outbreak.
The speed with which Bad Rabbit spread is similar to the WannaCry and NotPetya outbreaks that have hit in May and June this year, respectively.
ESET and Proofpoint researchers say Bad Rabbit has initially spread via fake Flash update packages, but the ransomware also appears to come with tools that help it move laterally inside a network, which may explain why it spread so quickly across several organizations in such a small time.
In a later report published by Kaspersky, the company telemetry data revealed "the ransomware [was] spread via a drive-by attack," and "victims are redirected to [the website peddling the fake Flash update package] from legitimate news websites."
Based on analysis by ESET, Emsisoft, and Fox-IT, Bad Rabbit uses Mimikatz to extract credentials from the local computer's memory, and along with a list of hard-coded credentials, it tries to access servers and workstations on the same network via SMB.
As for Bad Rabbit, the ransomware is a so-called disk coder, similar to Petya and NotPetya. Bad Rabbit first encrypts files on the user's computer and then replaces the MBR (Master Boot Record).
Once Bad Rabbit has done its job, it reboots the user's PC, which gets stuck into the custom MBR ransom note. The ransom note is almost identical to the one used by NotPetya, in the June outbreak.
Based on the ransom note, the ransomware asks victims to access a site on the Tor network and make a payment of 0.05 Bitcoin (around $280). Victims have just over 40 hours to pay until the ransom fee goes up.
Under the hood, the Bad Rabbit ransomware appears to be based on DiskCryptor, an open source disk encryption utility, similarly to the HDDCryptor ransomware that hit San Francisco's Muni transportation service earlier this year.
The Bad Rabbit source code also contains various Game of Thrones references to characters like Grayworm. In addition, the ransomware also sets up three scheduled tasks named Drogon, Rhaegal, and Viserion, the name of the three dragons from Game of Thrones. This is not the first ransomware that comes with Game of Thrones references. One of the scripts used in Locky's distribution campaign also contained similar references.
While full analysis of the ransomware is underway, this is what we currently know about Bad Rabbit.
As already stated, Bad Rabbit is currently targeting Russian and Eastern European victims through web sites that have been hacked to display fake Adobe Flash update notices. When a user clicks on these notices, a file called install_flash_player.exe will be downloaded.
When install_flash_player.exe is executed it will drop a file called C:\Windows\infpub.dat and execute it using the command C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat, #1 15.
Once executed, Infpub.dat will create the C:\Windows\cscc.dat and C:\Windows\dispci.exe files. The Cscc.dat file is actually a renamed copy of the dcrypt.sys Filter driver from DiskCryptor. Infpub.dat will then create a Windows service called Windows Client Side Caching DDriver that is used to launch the cscc.dat driver.
Infpub.dat will also create a scheduled task that launches the dispci.exe file when the user logs into the computer. This scheduled task is called Rhaegal, after one of the dragons from the Game of Thrones series. This scheduled task will execute the "C:\Windows\dispci.exe" -id [id] && exit command.
The cscc.dat driver, along with the dispci.exe file, are used to encrypt the disk and modify the master boot record in order to display the ransom note shown below when a victim turns on their computer.
Infpub.dat, though, is not quite finished and has some more tricks up its sleeve. After installing the DiskCryptor components, it will also perform a user mode encryption of the files on the victim's computer. These files will be encrypted with what appears to be AES encryption. The AES encryption key used to encrypt the files will then be encrypted with an embedded RSA-2048 public key. It is not currently known where the final encrypted key is stored, but could possibly be added to the encrypted files.
When Bad Rabbit encrypts files, unlike most other ransomware, it will not append a new extension to the encrypted file's name. It will though, append the file marker string "encrypted" to end of every encrypted file as shown below.
Last, but not least, Infpub.dat also contains the ability to spread via SMB to other computers. It does this by trying to access network shares over SMB through credentials stolen from the victim's computer or by trying a list of included user names and passwords. If it is able to gain access to a remote network share, it will copy itself over and execute the ransomware on the other computer.
You can see examples of the SMB traffic below.
Finally, Bad Rabbit will create two more scheduled tasks that are used to reboot the computer. These scheduled tasks are also named after the dragons in Game of Thrones and are named drogon and viserion. These tasks are used to shutdown and reboot the computer in order to execute other programs at login or eventually display the boot lock screen before Windows starts.
As you can see, there is a lot of functionality built into Bad Rabbit and more is expected to be uncovered as various security companies analyze the ransomware. We will continue to update this article as more information becomes available.
install_flash_player.exe: 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da infpub.dat: 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648 cscc.dat (dcrypt.sys): 0b2f863f4119dc88a22cc97c0a136c88a0127cb026751303b045f7322a8972f6 dispci.exe: 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93
C:\Windows\infpub.dat C:\Windows\System32\Tasks\drogon C:\Windows\System32\Tasks\rhaegal C:\Windows\cscc.dat C:\Windows\dispci.exe
HKLM\SYSTEM\CurrentControlSet\services\cscc HKLM\SYSTEM\CurrentControlSet\services\cscc\Type 1 HKLM\SYSTEM\CurrentControlSet\services\cscc\Start 0 HKLM\SYSTEM\CurrentControlSet\services\cscc\ErrorControl 3 HKLM\SYSTEM\CurrentControlSet\services\cscc\ImagePath cscc.dat HKLM\SYSTEM\CurrentControlSet\services\cscc\DisplayName Windows Client Side Caching DDriver HKLM\SYSTEM\CurrentControlSet\services\cscc\Group Filter HKLM\SYSTEM\CurrentControlSet\services\cscc\DependOnService FltMgr HKLM\SYSTEM\CurrentControlSet\services\cscc\WOW64 1
Oops! Your files have been encrypted. If you see this text, your files are no longer accessible. You might have been looking for a way to recover your files. Don't waste your time. No one will be able to recover them without our decryption service. We guarantee that you can recover all your files safely. All you need to do is submit the payment and get the decryption password. Visit our web service at caforssztxqzf2nm.onion Your personal installation key#1:
Local & Remote SMB Traffic on ports 137, 139, 445 caforssztxqzf2nm.onion
.3ds .7z .accdb .ai .asm .asp .aspx .avhd .back .bak .bmp .brw .c .cab .cc .cer .cfg .conf .cpp .crt .cs .ctl .cxx .dbf .der .dib .disk .djvu .doc .docx .dwg .eml .fdb .gz .h .hdd .hpp .hxx .iso .java .jfif .jpe .jpeg .jpg .js .kdbx .key .mail .mdb .msg .nrg .odc .odf .odg .odi .odm .odp .ods .odt .ora .ost .ova .ovf .p12 .p7b .p7c .pdf .pem .pfx .php .pmf .png .ppt .pptx .ps1 .pst .pvi .py .pyc .pyw .qcow .qcow2 .rar .rb .rtf .scm .sln .sql .tar .tib .tif .tiff .vb .vbox .vbs .vcb .vdi .vfd .vhd .vhdx .vmc .vmdk .vmsd .vmtm .vmx .vsdx .vsv .work .xls .xlsx .xml .xvd .zip
Additional reporting by Lawrence Abrams