Home / Vulnerability Management / Bad Rabbit – Another Ransomware

Bad Rabbit – Another Ransomware

BadRabbit – Ransomware

Unsurprisingly, a new variant ransomware attack has reportedly felled a number of predominantly Eastern European organisations. Amongst others, Interfax a Russian media site tweeted that “Servers had failed due to a Hacker Attack”, and Odessa International Airport posted on Facebook that “Information Systems had been hacked”. Although none of the victims have made it clear, it is believed they have been compromised by Ransomware named BadRabbit.

Bad Rabbit is delivered through a fake Adobe Flash update called “install_flash_player.exe”, which is served via an infected website. BadRabbit is similar to Petya the ransom note is almost identical also BadRabbit can use SMB to propagate across a network and check for hard coded credentials. It does not try to circumvent UAC, instaed relying on social engineering to convince victims to allow it to escalate privileges and install.

Once executed, BadRabbit uses MimiKatz opensource tool to harvest credentials and escalate privileges. After acquiring the privileges it creates two files under Windows, infpub.dat and cscc.dat which when executed via rundll32 installs dispci.exe to Windows which encrypts multiple file types, installs a boot loader and then reboots to the ransomware screen, the OS then fails to load.

Victims are faced with an onscreen ransom note showing them a ‘Personal Installation Key’, and directing them to a Tor based website, the website is titled ‘BADRABBIT’. Victims are asked to pay 0.05 Bitcoins which will release the decrypt key they can enter into the onscreen ransom note.

 

Qualys and BadRabbit

Qualys customers can scan their environment for QID 1043, this QID requires an authenticated scan and will check for the presence of the following files

%windir%\infpub.dat
%windir%\dispci.exe
%windir%\cscc.dat

This QID was published on 24th of October, only scans started after this date will check for the presence of the files.

Using Qualys Indication of Compromise to find machines on and off the network infected with Bad Rabbit using the following hashes.

install_flash_player.exe [SHA256]:630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
C:\Windows\dispci.exe [SHA256]:8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93
C:\windows\infpub.dat [SHA256]:579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648
C:\windows\cscc.dat [SHA256]:8d63e37aa74ca33a926bec7c7aa8fda0f764ffbb20e8f64bb9c3999b5975f9a6

 

Other mitigation

  • Disable WMI
  • Create two files in C:\Windows\infpub.dat, and C:\Windows\cscc.dat, and remove All Permissions, including inherited permissions. (untested)
  • Have a robust, timely patching regime, it goes a long way to protect against this and other as yet unknown ransomwares.
  • Have a strong, regularly tested backup system in place, even with a network wide ransomware attack and weak patching, a strong backup practices should provide a last known good state.
  • Eradicate the use of Flash as much as possible, preferably forever!
  • Exercise model of least privileges, avoid having users as local admins.