Bad Rabbit – A New Ransomware Outbreak Targeting Ukraine and Russia.

CERT-LatestNews ThreatsStrategic

On October 14th, the Ukrainian Security Service warned that a new large scale cyber-attack, similar to notPetya, might take place sometimes between October 13 and 17.

The attack arrived a few days later than expected; today (October 24th, 2017) the anticipated ransomware attack broke in Europe.

Ukraine was a main target for this malware with many of its critical infrastructures suffering from downtimes including train stations, airports and media sites.

Some of the effected companies are Kiev Metro (Ukrainian train services), Odessa Airport (Ukraine), Ukrainian ministries of infrastructure and finance and Interfax (large Russian media outlet).

Other than Ukraine, other countries which were hit include Turkey, Russia and Bulgaria.

Among the infected industries are mainly Finance, Healthcare, Distribution and Software vendors.

Dubbed `Bad Rabbit`, the ransomware asks for a ransom payment of 0.05 BTC (~$280) in the first 40 hours of infection, after which the price will probably rise to a yet unknown amount.

The ransomware is spread via a fake Flash software installer, which allegedly arrives as a pop-up from a legitimate Russian news site.

Once ran the pop-up leads to a compromised site, which in turn downloads an executable dropper.

The ransomware uses known open source software called DiskCryptor in order to encrypt the victim’s drives.

The lock screen presented to the user is almost identical to the infamous Petya and NotPetya lock screens. However, this is the only similarity we can observe between both malware, in all other aspects Bad Rabbit is a completely new and unique ransomware.

After successful infection the Bad Rabbit ransomware creates a unique key for each victim which is presented on a created ‘READ ME.txt’ file together with the payment site which is hosted on Tor.

The payment site is very graphically appealing, using colorful and changing letters.

When entering the user key in the Tor payment site, each user receives a unique bitcoin wallet to which it is asked to transfer the payment of 0.05 BTC to.

Check Point customers using the following products are protected against this threat:

  • Check Point Threat Emulation blade
  • Check Point Anti-Virus blade

Technical Overview

Initially, Bad Rabbit malware deletes the scheduled task named “rhaegal”:

schtasks /Delete /F /TN rhaegal

It then creates the scheduled task with exactly the same name:

schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR “C:\Windows\system32\cmd.exe /C Start \”\” \”C:\Windows\dispci.exe\” -id %d && exit”

This new task is responsible for running the payload after the system will boot up.

And then malware schedules a system restart (task name “drogon”):

schtasks /Create /SC once /TN drogon /RU SYSTEM /TR “C:\Windows\system32\shutdown.exe /r /t 0 /f” /ST hh:mm:ss

After the computer restarts the encryption process begins.

Bad Rabbit can perform both encryption and decryption of the MBR and files.

The following is the list of file extensions encrypted by Bad Rabbit:

  • .3ds
  • .7z
  • .accdb
  • .ai
  • .asm
  • .asp
  • .aspx
  • .avhd
  • .back
  • .bak
  • .bmp
  • .brw
  • .c
  • .cab
  • .cc
  • .cer
  • .cfg
  • .conf
  • .cpp
  • .crt
  • .cs
  • .ctl
  • .cxx
  • .dbf
  • .der
  • .dib
  • .disk
  • .djvu
  • .doc
  • .docx
  • .dwg
  • .eml
  • .fdb
  • .gz
  • .h
  • .hdd
  • .hpp
  • .hxx
  • .iso
  • .java
  • .jfif
  • .jpe
  • .jpeg
  • .jpg
  • .js
  • .kdbx
  • .key
  • .mail
  • .mdb
  • .msg
  • .nrg
  • .odc
  • .odf
  • .odg
  • .odi
  • .odm
  • .odp
  • .ods
  • .odt
  • .ora
  • .ost
  • .ova
  • .ovf
  • .p12
  • .p7b
  • .p7c
  • .pdf
  • .pem
  • .pfx
  • .php
  • .pmf
  • .png
  • .ppt
  • .pptx
  • .ps1
  • .pst
  • .pvi
  • .py
  • .pyc
  • .pyw
  • .qcow
  • .qcow2
  • .rar
  • .rb
  • .rtf
  • .scm
  • .sln
  • .sql
  • .tar
  • .tib
  • .tif
  • .tiff
  • .vb
  • .vbox
  • .vbs
  • .vcb
  • .vdi
  • .vfd
  • .vhd
  • .vhdx
  • .vmc
  • .vmdk
  • .vmsd
  • .vmtm
  • .vmx
  • .vsdx
  • .vsv
  • .work
  • .xls
  • .xlsx
  • .xml
  • .xvd
  • .zip

The disk encryption is done using an open source tool called DiskCryptor (open source partition encryption solution)

At this stage both the MBR and 2nd stage bootloaders are being encrypted.

All the interactions with DiskCryptor driver are done through opening this device:


To start the encryption process the following IOCTL is send to it:


It seems that there are two different passwords used to encrypt the files. First one should be entered at the system boot. The second one is used to decrypt the files, which extensions are mentioned above, when the system will boot through enumeration of all the encrypted files on disk.