Bad Rabbit Ransomware Spreads via Network, Hits Ukraine and Russia

A ransomware campaign is currently ongoing, hitting Eastern European countries with what seems to be a variant of the Petya ransomware dubbed Bad Rabbit (which we detect as RANSOM_BADRABBIT.A). Trend Micro products with  XGen™ security detect this ransomware as TROJ.Win32.TRX.XXPE002FF019. The attack comes a few months after the previous Petya outbreak, which struck European countries back in June.

Initial reports peg the main casualties as transport systems and media outlets in Ukraine and Russia. The Ukranian arm of CERT (CERT-UA) has also issued an advisory warning of further potential ransomware attacks.

Initial Analysis

 Figure 1: Bad Rabbit ransom note showing the installation key

Figure 1: Bad Rabbit ransom note showing the installation key

Our initial findings report that Bad Rabbit spreads via watering hole attacks that lead to a fake Flash installer “install_flash_player.exe”. Compromised sites are injected with a script that which contains a URL that resolves to hxxp://1dnscontrol.com/flash_install,  which is inaccessible as of the time of publication. We’ve observed some compromised sites out of Denmark, Ireland, Turkey, and Russia where it delivered the fake Flash installer.

 Figure 2: Code showing the injected script

Figure 2: Code showing the injected script

Once the fake installer is clicked, it will drop the encryptor file infpub.dat using the rundll32.exe process, along with the decryptor file dispci.exe. As part of its routine, Bad Rabbit uses a trio of files referencing the show Game of Thrones, starting with rhaegal.job, which is responsible for executing the decryptor file, as well as a second job file, drogon.job, that is responsible for shutting down the victim’s machine. The ransomware will then proceed to encrypt files in the system, as well as display the ransom note which is seen above.

A third file, viserion_23.job, is used to reboot the target system a second time, after which the screen is locked and the following note displayed:

 Figure 3: Bad Rabbit ransom note displayed after system reboot

Figure 3: Bad Rabbit ransom note displayed after system reboot

From our initial analysis, Bad Rabbit spreads to other computers in the network by dropping copies of itself in the network using its original name and executing the dropped copies using Windows Management Instrumentation (WMI) and Service Control Manager Remote Protocol. When the Service Control Manager Remote Protocol is used, it employs dictionary attack for the credentials.

Among the tools Bad Rabbit reportedly incorporates is the open-source utility Mimikatz, which it uses for credential extraction. We have also found evidence of it using DiskCryptor , a legitimate disk encryption tool, to encrypt the target systems.

Mitigation and Best Practices

Users can mitigate the impact of ransomware such as Bad Rabbit through the use of the best practices found in this guide.

Trend Micro Solutions

Trend Micro XGen™ security provides a cross-generational blend of threat defense techniques against a full range of threats for data centerscloud environmentsnetworks, and endpoints. It features high-fidelity machine learning to secure the gateway and endpoint data and applications, and protects physical, virtual, and cloud workloads. With capabilities like web/URL filtering, behavioral analysis, and custom sandboxing, XGen™ protects against today’s purpose-built threats that bypass traditional controls, exploit known, unknown, or undisclosed vulnerabilities, and either steal or encrypt personally-identifiable data. Smart, optimized, and connected, XGen™ powers Trend Micro’s suite of security solutions: Hybrid Cloud Security, User Protection, and Network Defense.

Further information about Trend Micro solutions can be found in this article.

The following SHA256 hashes are detected as RANSOM_BADRABBIT.A:

  • 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
  • 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93

Additional hashes related to this ransomware:

install_flash_player.exe:

  • de5c8d858e6e41da715dca1c019df0bfb92d32c0

infpub.dat:

  • 79116fe99f2b421c52ef64097f0f39b815b20907
  • 2d963fcd2c6bcba05735a88ea4cbf6fd5f89a21c

dispci.exe:

  • afeee8b4acff87bc469a6f0364a81ae5d60a2add

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

Bad Rabbit Ransomware Spreads via Network, Hits Ukraine and Russia

Read more: Bad Rabbit Ransomware Spreads via Network, Hits Ukraine and Russia

Story added 25. October 2017, content source with full text you can find at link above.