Bad Rabbit — Inside the latest ransomware

On Tuesday, October 24, 2017, a new ransomware sample called Bad Rabbit hit Russia, Ukraine, Turkey, Germany, Bulgaria, USA, and Japan. Russia and Ukraine were hit the most as the infection started through some hacked Russian news websites. Russian media agencies Interfax and Fontanka, as well as transportation organisations in Ukraine including the Odessa airport, Kiev's subway and the country's Ministry of Infrastructure were among the first to catch the infection.

Bad Rabbit is based on NonPetya or exPetr code but is heavily reworked, although the behaviour and actual result of infection is pretty much the same. At the same time, we noted that it also contains parts of other ransomware, for example, approaches used in HDDCryptor. But the guys behind the Bad Rabbit fixed bugs here and there and combined it all into one, which is quite unique. They also signed the code with a fake Symantec security certificate. Another feature of this malicious software is its ability to collect user passwords on the infected computers and download additional malicious modules.

The ransomware doesn’t use any new tricks, quite on the contrary, it relies on a very old malware approach of tricking users into installing a fake Adobe Flash update. Surprisingly, this still works, which indicates that cybersecurity awareness is still very low among businesses and consumers. There is still a lot of education that needs to be done to make such attacks less effective. Until then, without proper security and data protection measures in place, the risk of falling victim to ransomware remains high.

Bad Rabbit key facts:

•     Uses pieces of code from NonPetya/ExPetr
•     Distributed as fake Flash update requiring manual installation by a user
•     Uses system driver for encryption
•     Tries to distribute itself via local network in a primitive way
•     Replaces MBR and makes PC unusable
•     Crashed on Windows 10
•     Mainly affected Windows corporate users

Infection scheme and technical details

The main target for Bad Rabbit are companies and business and as of now, we see that the infection levels are already subsiding. The malicious server is no longer alive and most of the infected sites that hosted the script that dangerous Flash update are currently down or cleaned up. That doesn’t mean, however, that you as a business or individual should relax because a new attack can happen anytime.

To launch the attack, cybercriminals hacked some popular media websites and posted a link to a fake Adobe Flash installer, asking users to run the update when they visited the website. Many users fell for the trick, even though security companies for years have been warning people against installing software updates from untrusted sources. It’s also recommended to check all updates with an anti-malware solution before installing to be sure that they are not hacked or injected with malicious code. Similar fake Adobe software updates were very popular infection schemes years ago and as we see, unfortunately, it continues to be effective now.

The ransomware dropper is distributed from hxxp://1dnscontrol[.]com/flash_install.php. After that the user downloads install_flash_player.exe file, which needs administrative privileges in the system. Funnily enough, it attempts to obtain these using the standard UAC prompt. If started, the dropper extracts a file-level encryption module infpub.dat (which is a dll actually) and a disk level encryption module dispci.exe and kernel mode driver cscc.dat (which is actually legal dcrypt.sys file).

After the user voluntarily infects the machine, Bad Rabbit attempts to spread itself over the local network using a known mimikatz tool which lets you extract Windows credentials from Local Security Authority in open form, as well as embedded credential list containing some of the worst password examples. Bad guys know that “12345” or “password” have been at the top of the password lists for years and these passwords continue to be effective.

Bad Rabbit uses two types of encryption – file and disk level. It doesn’t imitate chkdsk.exe like NonPetya did to hide encryption, nor does it use any vulnerability in Microsoft file server srv.sys. Firstly, Bad Rabbit launches file level encryption (infpub.dat via rundll32), if it finds enough files to encrypt. After that, it creates tasks in the Scheduler for launching the dispci.exe to encrypt drives and then forces a system restart. After the first restart, dispci.exe writes an extended loader at the end of the disk, which will get all the control via the malicious MBR later. Finally, the whole disk is encrypted with a legitimate driver, MBR is rewritten and the PC restarts again to display a ransom message demanding 0.05 bitcoin (which is roughly $275).

An interesting point is that under Windows 10 the driver module used for encryption is often causing a BSOD (Blue Screen Of Death) because of the compatibility issues. Another thing is that when it encrypts the file, the file extension stays the same, which can trick the heuristics used by some antiviruses, which react on file extension changes. Bad Rabbit can work offline and this potentially means that the sample can infect other machines when stored and distributed on a flash drive.

Guard against Bad Rabbit by following simple security rules:

– Install and enable reliable anti-malware and backup solutions.

– Only install software updates from official websites or when the software prompts you to do so in Windows. Many 3rd party software vendors like Adobe actually update software automatically, so you should not see any requests for updates, especially when reading your favorite news websites. Even better – you can remove Flash at all if you don’t need it.

Alexander Ivanyuk, global director, product and technology, Acronis
Image source: Shutterstock/Martial Red