A major ransomware attack named “BadRabbit” is disrupting systems across Europe. The attack has been spreading wildly. BadRabbit locks out a user from login and demands a ransom worth of ~300$ in BitCoin. Some of the countries that are targeted are Russia, Ukraine, Bulgaria, and Turkey. Russian victims were the biggest targets accounting to about 71% of the attack.
The characteristics of NotPetya and BadRabbit looks to be the same. While some of the noticeable differences are, Badrabbit uses custom kernel compared to NotPetya, and in case of NotPetya decryption was not possible whereas in case of BadRabbit decryption might be possible with the criminal’s private key.
As group-ib reports “BadRabbit has same functions for computing hashes, network distribution logic and logs removal process, etc. as NotPetya”.
A drive-by download attack is conducted which leads to the infection of BadRabbit. According to Cisco’s Talos findings, BadRabbit is also using a version of the EternalRomance exploit to spread. This exploit, which comes from the 7 NSA hacking tools which are leaked by a mysterious group Shadow Brokers. Previously we had seen NotPetya using this tool to spread.
How BadRabbit works?
BadRabbit is spreading via a drive-by-downloads mechanism, here are the steps of infection,
- Users visits compromised websites.
- Websites prompts with fake adobe flash player update ‘install_flash_player.exe’
- User accepts the prompt and ‘install_flash_player.exe‘ will be downloaded.
- Executes install_flash_player.exe with elevated privileges.
- The updated deploys the BadRabbit ransomware.
What happens after the execution of ‘install_flash_player.exe‘?
- A file by the name ‘C:\Windows\infpub.dat‘ will be dropped by ‘install_flash_player.exe’ and will be executed by the command ‘C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat, #1 15.‘
- Infpub.dat will drop the ‘C:\Windows\cscc.dat‘ and ‘C:\Windows\dispci.exe‘ files.
- Infpub.dat will then create a Windows service called ‘Windows Client Side Caching DDriver‘ that is used to launch the cscc.dat driver.
- dispci.exe in combination with the cscc.dat driver, is responsible for the disk encryption and ransom screen.
- ‘drogon‘ task is created which will shutdown the machine.
- ‘rhaegal‘ task is created which is responsible of launching ‘dispci.exe‘ when user logs on to the computer.
- After infecting a machine, it used a tool called ‘Mimikatz‘ to get the credentials from memory, also
Indicator’s of Compromise:
- Confidential data held hostage.
- All targeted files and documents are encrypted with RSA 2048 encryption mechanism.
- Victim to pay a ransom of ~300$ in BitCoin.
- Users will be locked out of the computer.
How to prevent the attack:
- Disabling WMI service across the network can prevent ransomware from spreading.
- Always update software from vendors.
- Avoid surfing unknown websites.
- Check for valid signed certificates of any installers.
- As per ‘Cybereason‘ there is a quick prevention method available. For more info click here.