Update 2017-10-27 1:30pm EDT: Multiple researchers are reporting an exploit in the BadRabbit sample that is largely based on the EternalRomance exploit published in the ShadowBrokers leak.
On October 24, 2017, STEALTHbits was alerted to a ransomware campaign spreading across Eastern Europe and Russia. There are reports that the infection is leveraging the EternalBlue, the exploit generally believed to be developed by the U.S. National Security Agency (NSA), however there is no evidence to support those claims. Bad Rabbit does however appear to be related to the Nyetya ransomware variant that appeared earlier this year.
The origins of the infections have been traced to a fake Flash Player being delivered via a drive-by-download and compromising systems. This means that users have to interact with the malware and actually execute the payload themselves this infection does not use any exploit to compromise the system directly. Once infected the malware takes the following actions:
Interactive analysis of Bad Rabbit: https://app.any.run/tasks/9198fd01-5898-4db9-8188-6ad2ad4f0af3
Associated files:
SHA-1 | Filename | Description |
79116fe99f2b421c52ef64097f0f39b815b20907 | infpub.dat | Diskcoder |
afeee8b4acff87bc469a6f0364a81ae5d60a2add | dispci.exe | Lockscreen |
413eba3973a15c1a6429d9f170f3e8287f98c21c | Mimikatz (32-bits) | |
16605a4a29a101208457c47ebfde788487be788d | Mimikatz (64-bits) | |
de5c8d858e6e41da715dca1c019df0bfb92d32c0 | install_flash_player.exe | Dropper |
4f61e154230a64902ae035434690bf2b96b4e018 | page-main.js | JavaScript on compromised sites |
Whether it’s possible to get back files encrypted by Bad Rabbit (either by paying the ransom an available decryptor) isn’t yet known. The bitcoin wallets of the attackers only have a combined 3 transactions at the time of this writing
( 1GxXGMoz7HAVwRDZd7ezkKipY4DHLUqzmM | 17GhezAiRhgB8DGArZXBkrZBFTGCC9SQ2 ).
There are several actions that you can take to protect your environment:
STEALTHbits customers should take the following actions:
Beyond the loss of data to ransomware we at STEALTHbits have our concerns whenever we observe malware harvesting credentials and leveraging tools such as Mimikatz to widen its reach. If you are a regular follower of our blogs you know that we have extensively covered the damage that can be done with Mimikatz and similar tools.
Gabriel Gumbs is the VP of Product Strategy at STEALTHbits Technologies responsible for end-to-end product vision and innovation. With a 16 year tenure in CyberSecurity, he has spent most of that time as a security practitioner, aligning security innovations with business objectives for Fortune 100 organizations. Gabriel is an information security thought leader, privacy advocate and public speaker.
Proper data security begins with a strong foundation. Find out what you're standing on with a free deep-dive into the security of your Structured and Unstructured Data, Active Directory, and Windows infrastructure.
Read more© 2022 Stealthbits Technologies, Inc.
Leave a Reply