A ransomware campaign is currently ongoing, hitting Eastern European countries with what seems to be a variant of the Petya ransomware dubbed Bad Rabbit (which we detect as RANSOM_BADRABBIT.A). Trend Micro products with XGen™ security detect this ransomware as TROJ.Win32.TRX.XXPE002FF019. The attack comes a few months after the previous Petya outbreak, which struck European countries back in June.
Initial reports peg the main casualties as transport systems and media outlets in Ukraine and Russia. The Ukranian arm of CERT (CERT-UA) has also issued an advisory warning of further potential ransomware attacks.
Figure 1: Bad Rabbit ransom note showing the installation key
Our initial findings report that Bad Rabbit spreads via watering hole attacks that lead to a fake Flash installer “install_flash_player.exe”. Compromised sites are injected with a script that which contains a URL that resolves to hxxp://1dnscontrol.com/flash_install, which is inaccessible as of the time of publication. We’ve observed some compromised sites out of Denmark, Ireland, Turkey, and Russia where it delivered the fake Flash installer.
Figure 2: Code showing the injected script
Once the fake installer is clicked, it will drop the encryptor file infpub.dat using the rundll32.exe process, along with the decryptor file dispci.exe. As part of its routine, Bad Rabbit uses a trio of files referencing the show Game of Thrones, starting with rhaegal.job, which is responsible for executing the decryptor file, as well as a second job file, drogon.job, that is responsible for shutting down the victim’s machine. The ransomware will then proceed to encrypt files in the system, as well as display the ransom note which is seen above.
A third file, viserion_23.job, is used to reboot the target system a second time, after which the screen is locked and the following note displayed:
Figure 3: Bad Rabbit ransom note displayed after system reboot
From our initial analysis, Bad Rabbit spreads to other computers in the network by dropping copies of itself in the network using its original name and executing the dropped copies using Windows Management Instrumentation (WMI) and Service Control Manager Remote Protocol. When the Service Control Manager Remote Protocol is used, it employs dictionary attack for the credentials.
Among the tools Bad Rabbit reportedly incorporates is the open-source utility Mimikatz, which it uses for credential extraction. We have also found evidence of it using DiskCryptor , a legitimate disk encryption tool, to encrypt the target systems.
Mitigation and Best Practices
Users can mitigate the impact of ransomware such as Bad Rabbit through the use of the best practices found in this guide.
Trend Micro Solutions
Trend Micro XGen™ security provides a cross-generational blend of threat defense techniques against a full range of threats for data centers, cloud environments, networks, and endpoints. It features high-fidelity machine learning to secure the gateway and endpoint data and applications, and protects physical, virtual, and cloud workloads. With capabilities like web/URL filtering, behavioral analysis, and custom sandboxing, XGen™ protects against today’s purpose-built threats that bypass traditional controls, exploit known, unknown, or undisclosed vulnerabilities, and either steal or encrypt personally-identifiable data. Smart, optimized, and connected, XGen™ powers Trend Micro’s suite of security solutions: Hybrid Cloud Security, User Protection, and Network Defense.
Further information about Trend Micro solutions can be found in this article.
The following SHA256 hashes are detected as RANSOM_BADRABBIT.A: