Bad Rabbit — A New Ransomware Outbreak in Europe

On Tuesday, October, 24th, a new ransomware sample called Bad Rabbit hit Russia, Ukraine, Turkey, Germany, Bulgaria, USA, and Japan. Russia and Ukraine were hit the most as the infection started though some hacked Russian news websites. Russian media agencies Interfax and Fontanka, as well as transportation organizations in Ukraine including the Odessa airport, Kiev’s subway and the country’s Ministry of Infrastructure were among the first to catch the infection.

This and many other threats are still out there, often they share their roots with previous iterations of the code and Bad Rabbit is no exception. Read on and find out how to recognise this type of infection and more importantly, how to protect against it.

A closer look

Bad Rabbit is based on NonPetya or exPetr code but is heavily reworked, although the behavior and actual result of infection is pretty much the same. At the same time, we noted that it also contains parts of other ransomware, for example, approaches used in HDDCryptor. But guys behind the Bad Rabbit fixed bugs here and there and combined it all into one, which is quite unique. They also signed the code with a fake Symantec security certificate. Another feature of this malicious software is the ability to collect user passwords on the infected computers and download additional malicious modules.

The ransomware doesn’t use any new tricks, quite on contrary, it relies on a very old malware approach of tricking users into installing a fake Adobe Flash update. Surprisingly, this approach still works, which indicates that cyber security awareness is still very low among businesses and consumers. There is still a lot of education needs to be done to make such attacks less effective. Until then, without proper security and data protection measures in place, the risk of falling victim to ransomware remains high.

Bad Rabbit key facts:

  • Uses pieces of code from NonPetya/ExPetr
  • Distributed as fake Flash update requiring manual installation by a user
  • Uses system driver for encryption
  • Tries to distribute itself via local network in a primitive way
  • Replaces MBR and makes PC unusable
  • Crashed on Windows 10
  • Mainly affected Windows corporate users

Infection scheme and technical details

To launch the attack, cyber criminals hacked some popular media websites and posted a link to a fake Adobe Flash installer, asking users to run the update when they visited the website. Many users fell for the trick, even though security companies for years have been warning people against installing software updates from untrusted sources. It’s also recommended to check all updates with a anti-malware solution before installing,  to be sure that they are not hacked or injected with malicious code. Similar fake Adobe software updates were very popular infection schemes years ago and as we see, unfortunately it continues to be effective now.

The ransomware dropper is distributed from hxxp://1dnscontrol[.]com/flash_install.php. After that the user downloads install_flash_player.exe file, which needs administrative privileges in the system. Funny enough, it attempts to obtain these using the standard UAC prompt. If started, ransomware will save the malicious DLL in C:\Windows\infpub.dat and launch it using rundll32.

After the user voluntarily infects the machine, Bad Rabbit attempts to spread itself over the local network using an embedded credential list containing some of the worst password examples. Bad guys know that “12345” or “password” have been at the top of the password lists for years and these passwords continue to be effective.

Bad Rabbit uses two types of encryption – file and disk level. It doesn’t imitate chkdsk.exe like NonPetya did to hide encryption, nor does it use any vulnerability in Microsoft file server srv.sys. Instead, the Bad Rabbit uses Microsoft Cryptographic Service Providers (means legal system driver dcrypt.sys) to encrypt files and after it’s done with the files, it encrypts MBR and reboots the computer to display the ransom message demanding 0.05 bitcoin (which is roughly £245 as of 22/10/2018).

Get a Free Case Study

An interesting point is that under Windows 10 the driver module used for encryption is often causing a BSOD (Blue Screen Of Death) because of the compatibility issues. Another thing is that when it encrypts the file, the files extension stays the same, which can trick the heuristics used by some antiviruses, which react on file extension changes. Bad Rabbit can work offline and this potentially means that the sample can infect other machines when stored and distributed on a flash drive.

The main target for Bad Rabbit are companies and business and as of now we see that the infection levels are already subsiding. The malicious server is no longer alive and most of the infected sites that hosted the script that dangerous Flash update are currently down or cleaned up. That doesn’t mean, however, that you as a business or individual should relax, because new attack can still happen any time.

Acronis Active Protection expectedly detect and block Bad Rabbit from day 0

Acronis products, which have enabled Acronis Active Protection, such as Acronis True Image and Acronis Backup 12.5, easily detect and block the threat, reverting any damage done to data in a matter of seconds. But we still recommend that you use the following simple security rules:

  • Install and enable reliable anti-malware and backup solutions. The best way to protect yourself from ransomware is to use Acronis backup with Acronis Active Protection. It deals with modern ransomware threats a way better than traditional antivirus.
  • Only install software updates from official websites or when the software prompts you to do so in Windows. Many 3rd party software like Adobe are actually updates itself automatically, so you should not see any requests for updates, especially when reading your favorite news website. Even better – you can remove Flash at all if you don’t need it.


Leave a Reply

Your email address will not be published. Required fields are marked *