Down the Bad Rabbit Hole

Update 2017-10-27 1:30pm EDT: Multiple researchers are reporting an exploit in the BadRabbit sample that is largely based on the EternalRomance exploit published in the ShadowBrokers leak.

On October 24, 2017, STEALTHbits was alerted to a ransomware campaign spreading across Eastern Europe and Russia. There are reports that the infection is leveraging the EternalBlue, the exploit generally believed to be developed by the U.S. National Security Agency (NSA), however there is no evidence to support those claims. Bad Rabbit does however appear to be related to the Nyetya ransomware variant that appeared earlier this year.

How Bad Rabbit Operates

The origins of the infections have been traced to a fake Flash Player being delivered via a drive-by-download and compromising systems. This means that users have to interact with the malware and actually execute the payload themselves this infection does not use any exploit to compromise the system directly. Once infected the malware takes the following actions:

• Attempt to spread via SMB by scanning for internal open shares.
• Launches Mimikatz on the compromised computer to harvest credentials. A hardcoded list username and password is also present.
• DiskCryptor, a legitimate open source software used to do full drive encryption is then used encrypt files using CryptGenRandom and then protected by a hardcoded RSA 2048 public key. Encrypted files have extension .encrypted.
• Two scheduled task are created, one to execute dispci.exe as well as a task to reboot the infected machine at a later time.
• The Master Boot Record (MBR) is altered to redirect the boot process into the malware authors code to display a ransom note.

Interactive analysis of Bad Rabbit: https://app.any.run/tasks/9198fd01-5898-4db9-8188-6ad2ad4f0af3

Associated files:

Conclusions and Protections

Whether it’s possible to get back files encrypted by Bad Rabbit (either by paying the ransom an available decryptor) isn’t yet known. The bitcoin wallets of the attackers only have a combined 3 transactions at the time of this writing

( 1GxXGMoz7HAVwRDZd7ezkKipY4DHLUqzmM | 17GhezAiRhgB8DGArZXBkrZBFTGCC9SQ2 ).

There are several actions that you can take to protect your environment:

• Create a kill switch by creating C:windowsinfpub.dat as a read-only file. Should a machine become infected this will short circuit the encryption process.
• Restrict Scheduled Tasks: viserion_, rhaegal, drogon
• Restrict local admin access to workstations
• Eliminate, reduce or lockdown open shares

STEALTHbits customers should take the following actions:

• Check the local admin report to see which machines have privileges to execute the payload locally and where possible revoke those privileges
• Check the open shares report to see areas of the network that can be used to spread the infection
• StealthINTERCEPT customers should enable Horizontal Movement Analytics as well as monitor and preferably block privilege escalation activities.

Beyond the loss of data to ransomware we at STEALTHbits have our concerns whenever we observe malware harvesting credentials and leveraging tools such as Mimikatz to widen its reach. If you are a regular follower of our blogs you know that we have extensively covered the damage that can be done with Mimikatz and similar tools.

Don’t miss a post! Subscribe to The Insider Threat Security Blog here:

Name

Email*