Bad Rabbit: What you need to know

Bad Rabbit: What you need to know

The recent outbreak of a ransomware variant known as Bad Rabbit has caused widespread concern, and has been covered extensively on social media and in the news. 

The initial delivery vector is via a drive-by-download from a number of legitimate compromised Russian web sites, delivered as a fake Adobe Flash update. The download is from http://1dnscontrol[.]com. The download is an executable with the Adobe Flash icon which requires the user to run it.

Once installed, the ransomware will attempt to spread via the network. It uses DHCP to find other machines on the same subnet, and attempts to connect to them over SMBv1 using usernames and passwords either from an internal list, or that it has extracted from the host via mimikatz functionality. Bad Rabbit is also reported to contain the Eternal Romance exploit which takes advantage of the Windows vulnerability described in MS17-010. Bad Rabbit can thus be thwarted by ensuring all systems are patched and up-to-date, SMBv1 is disabled and a strong password policy is in place.

The malware will reboot the system in order to encrypt files. It may be possible to prevent the reboot using the command: shutdown -a, which will prevent encryption, allowing an opportunity to remove the malware. If the system is allowed to reboot, a variety of files across the system are encrypted with a ransom note that is in the same format as that seen with Petya/NotPetya. 

Our advice with this malware variant is the same as that for the earlier WannaCry outbreak. Read our blog post here: WannaCry: What you need to know.

Notes: 

We conducted the analysis of the malware's behaviour using our CAPE tool:

Subscribe for more Research like this

Please type your first name
Please type your last name
Please enter a valid email address

About Kevin O’Reilly

Principal Consultant

CREST
CREST STAR
CHECK IT Health Check Service
CTAS - CESG Tailored Assurance Service
CBEST
PCI - Approved Scanning Vendor
Cyber Essentials
CESG Certified Product
CESG Certified Service
First - Improving Security Together
BSI ISO 9001 FS 581360
BSI ISO 27001 IS 553326