Bad Rabbit

It was only 2 weeks ago I attended a presentation around cyber security threats and thought to myself “Ransomware has been very low key recently!” I certainly did not believe it had gone away, Ransomware comes and goes in waves and mostly executed via an exploit kit like Cerber 6 was distributed through the magnitude exploit kit.

So what is Bad Rabbit

On the 24th October security companies and news agencies reported that a widespread ransomware attack was affecting organizations in eastern Europe and Russia. News Article

On the face of it Bad Rabbit seems to have similarities to Petya ransomware which was at large in May this year most commonly or infamously known as #WannaCry

It does not appear to have the sophistication of the May attacks or even Cerber 6 which I retain was the most sophisticated ransomware, and #Wannacry had the most distribution and effect.

rxsajtj16dwbjbbclvrs (1) Look Familiar?

Reports from various security companies at present attribute the distribution to a fake adobe flash player which is being delivered via a drive by method (download from a website). The sites which have been compromised and a redirecting to the Bad Rabbit binary are at present located in Russia, Bulgaria and Turkey.

When a user visited one of the compromised sites they were re-directed to 1dnscontrol[.]com where the malicious file was hosted. This site appears to have been active for around 6 hours before it was taken down.

The file itself requires user authentication or facilitation, essentially your user has to actually run the file, the Bad Rabbit is not using any sophisticated exploit kits or vulnerabilities at this moment for entry BUT once the file has been ran just once it uses an SMB component for further infection or lateral movement. Note research and investigation is still on going with this so if it is found to be using exploit kits I will update.

Technical Details 

The Malware contains a dropper which extracts and runs the payload which contains 2 binaries:

  • Legitimate Binary with DiskCryptor (2 drives typical x86/x64 and 1 client)
  • 2 x mimikatz binaries which is a popular open source tool to recover user credentials from computer memory – this is used for the LAN scan to try and spread the infection.
  1. Binaries are run by user
  2. The files will be placed in to C:\Windows\ directory
  3. A lateral scan on the LAN is then performed – best guess at this point is for lateral movement.
  4. 2 Scheduled tasks are planned to run through RunDLL32.exe
    1. start C:\Windows\dispci.exe
    2. System re-boot (see MRB modification below)
Scheduled task 1
Scheduled task 2

You may notice the names of these scheduled tasks will look familiar especially is you are a Game of Thrones fan (Rhaegal & Drogon) 

Creators fans of GOT clearly

5. Some directories are excluded (as with all ransomware) the OS still needs to function so the victims can actually pay \Windows \Program Files \ ProgramData \AppData are all excluded.

6. The attacked extensions which Bad Rabbit is searching for are below:

3ds 7z accdb ai asm asp aspx avhd back bak bmp brw c cab
cc cer cfg conf cpp crt cs ctl cxx dbf der dib disk djvu
doc docx dwg eml fdb gz h hdd hpp hxx iso java jfif jpe
jpeg jpg js kdbx key mail mdb msg nrg odc odf odg odi odm
odp ods odt ora ost ova ovf p12 p7b p7c pdf pem pfx php
pmf png ppt pptx ps1 pst pvi py pyc pyw qcow qcow2 rar rb
rtf scm sln sql tar tib tif tiff vb vbox vbs vcb vdi vfd
vhd vhdx vmc vmdk vmsd vmtm vmx vsdx vsv work xls xlsx x
ml xvd zip

7. Encryption is done via the Windows Crypto API, where the AES key is generated with a secure function and passed along to the encrypting routine along with the public key which is used later to protect the random encryption key and preserve it in a form which can only be decoded from the attackers.

8. MBR is also corrupted on the victims hard drive so that the systems hard drive will redirect the boot process to the malware’s code so it displays a ransom, in other words this is persistent and a reboot as with all ransomware will not stop / clean up an infection.

9. Encryption takes place and the below message is displayed:

rxsajtj16dwbjbbclvrs (1)


The code is similar to the earlier attacked in the yeah of Petya/NonPetya which suggest the authors possibly could be the same, so far reports suggest the de-crypt keys actually unlock the data and top my knowledge there is not a common key to de-crypt.

It will be interesting to see if Microsoft Windows 10 and their latest folder level access and security permissions could stop this ransomware strain. Windows 10 Ransomware prevention.

If you want to learn how to stop ransomware, or mitigate the risk see my previous POST

I will update this article as more details come through on Bad Rabbit.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s