Bad Rabbit: What you need to know

Bad Rabbit: What you need to know

The recent outbreak of a ransomware variant known as Bad Rabbit has caused widespread concern, and has been covered extensively on social media and in the news. 

By Kevin O’Reilly

Principal Consultant

26 Oct 2017

The initial delivery vector is via a drive-by-download from a number of legitimate compromised Russian web sites, delivered as a fake Adobe Flash update. The download is from http://1dnscontrol[.]com. The download is an executable with the Adobe Flash icon which requires the user to run it.

Once installed, the ransomware will attempt to spread via the network. It uses DHCP to find other machines on the same subnet, and attempts to connect to them over SMBv1 using usernames and passwords either from an internal list, or that it has extracted from the host via mimikatz functionality. Bad Rabbit is also reported to contain the Eternal Romance exploit which takes advantage of the Windows vulnerability described in MS17-010. Bad Rabbit can thus be thwarted by ensuring all systems are patched and up-to-date, SMBv1 is disabled and a strong password policy is in place.

The malware will reboot the system in order to encrypt files. It may be possible to prevent the reboot using the command: shutdown -a, which will prevent encryption, allowing an opportunity to remove the malware. If the system is allowed to reboot, a variety of files across the system are encrypted with a ransom note that is in the same format as that seen with Petya/NotPetya. 

Our advice with this malware variant is the same as that for the earlier WannaCry outbreak. Read our blog post here: WannaCry: What you need to know.


We conducted the analysis of the malware's behaviour using our CAPE tool:

If you have a question for us or require any further information, please get in touch.

Contact Us

About Kevin O’Reilly

Principal Consultant

CHECK IT Health Check Service
Cyber Essentials
CESG Certified Service
First - Improving Security Together
BSI ISO 9001 FS 581360
BSI ISO 27001 IS 553326
PCI - Approved Scanning Vendor