The Bad Rabbit ransomware, which initially surfaced in 2017, is thought to be a Petya variation. This hit over 200 organizations throughout Eastern Europe during the said year. Like other ransomware types, infections by the Bad Rabbit virus restrict victims from accessing their computers, servers, or files until a ransom is paid.

 

History of Bad Rabbit

 

Bad Rabbit originally surfaced in October of 2017 and resembles the WannaCry and Petya ransomware strains.

A Bad Rabbit attack, which masquerades as an Adobe Flash installer, spreads via drive-by downloads on hijacked websites, thus people may become infected just by going to a malicious or compromised website. Websites that have JavaScript injected into their HTML code can contain the Bad Rabbit virus.

On account on how it came to be, some researchers and observers have suggested that Bad Rabbit was a state-funded organization that sought out disruptive media outlets. However, aside from the fact that the main watering hole websites are media-related, there is no solid proof to back up that claim.

 

The Spread of Bad Rabbit

 

Compromised Russian media outlets were the target of Bad Rabbit’s first attack. On these websites, the attackers posted fake Adobe Flash Player installers that, when manually downloaded and used by a user, would launch the Bad Rabbit ransomware.

Following a user’s execution of the malicious Adobe Flash Player Executable, Bad Rabbit searches for SMB shares and brute-forces them using a list of pre-programmed common credentials. Additionally, to collect usernames and passwords and obtain access to additional SMB shares, Mimikatz post-exploitation tools are employed. Mimikatz is a powerful tool used to recover cleartext passwords and password hashes from memory. This post-exploitation technique is frequently used by cybercriminals to migrate laterally within a network.

From there, Bad Rabbit would try to run code on networked Windows systems by taking advantage of the Windows Management Instrumentation Command-line (WMIC).

 

Finally, it overwrites the session security by using an EternalRomance implementation that is extremely similar to this one that is freely downloadable in Python. The access would then be used by Bad Rabbit to launch DiskCryptor, an open-source encryption program, and perform full disk encryption.

 

 

Systems that are Prone to Bad Rabbit

 

Bad Rabbit ransomware can affect unpatched Windows 7 and later Windows operating systems. Initial reports claimed that no NSA-developed exploits were used by the ransomware.

Maintain system patching and updating. Although known exploits are frequently used by cybercriminals, updates from vendors are frequently released and can shield users from numerous attacks. Also, backup your files frequently. Distributors of ransomware gain control by encrypting your files and threatening to lose your data. The cybercriminal loses this leverage if you have backups of the affected files.

 

List of Compromised Websites

Visitors to the following websites were tricked into downloading the Bad Rabbit installer.

  • hxxp://www.fontanka[.]ru
  • hxxp://www.otbrana[.]com
  • hxxp://grupovo[.]bg
  • hxxp://i24.com[.]ua
  • hxxp://spbvoditel[.]ru
  • hxxp://blog.fontanka[.]ru
  • hxxp://www.pensionhotel[.]cz
  • hxxp://www.sinematurk[.]com
  • hxxp://most-dnepr[.]info
  • hxxp://www.imer[.]ro
  • hxxp://calendar.fontanka[.]ru
  • hxxp://an-crimea[.]ru
  • hxxp://www.online812[.]ru
  • hxxp://www.aica.co[.]jp
  • hxxp://www.mediaport[.]ua
  • hxxp://ankerch-crimea[.]ru
  • hxxp://novayagazeta.spb[.]ru
  • hxxp://osvitaportal.com[.]ua
  • hxxp://www.grupovo[.]bg
  • hxxp://argumenti[.]ru
  • hxxp://bg.pensionhotel[.]com
  • hxxp://argumentiru[.]com
  • hxxp://www.t.ks[.]ua

Extensions That Bad Rabbit Will Attempt to Encrypt

.3ds .7z .accdb .ai .asm .asp .aspx .avhd .back .bak .bmp .brw .c .cab .cc .cer .cfg .conf .cpp .crt .cs .ctl .cxx .dbf .der .dib .disk .djvu .doc .docx .dwg .eml .fdb .gz .h .hdd .hpp .hxx .iso .java .jfif .jpe .jpeg .jpg .js .kdbx .key .mail .mdb .msg .nrg .odc .odf .odg .odi .odm .odp .ods .odt .ora .ost .ova .ovf .p12 .p7b .p7c .pdf .pem .pfx .php .pmf .png .ppt .pptx .ps1 .pst .pvi .py .pyc .pyw .qcow .qcow2 .rar .rb .rtf .scm .sln .sql .tar .tib .tif .tiff .vb .vbox .vbs .vcb .vdi .vfd .vhd .vhdx .vmc .vmdk .vmsd .vmtm .vmx .vsdx .vsv .work .xls .xlsx .xml .xvd .zip

 

Ransomwares such as Bad Rabbit can be a great threat to your business. It is important to be secure all the time, to always be knowledgable on computer viruses, and to not be a victim of one.

 

If you want to discuss about ransomwares and how to strengthen your cybersecurity, give us a call.