Bad Rabbit Ransomware Spreading in Eastern Europe ‘with ties to NotPetya’

Bad Rabbit RansomwareBad Rabbit Ransomware is installed via a download and can move laterally within a network.

Reports have surfaced of a new strain of ransomware called Bad Rabbit beginning to spread in Russia and Ukraine. It initially targeted government and media institutions. Infections have occurred in Turkey and Bulgaria, but the scope of the spread is still unclear, but the scope of the spread is still unclear.

The malware has affected systems at three Russian websites including news services Interfax and; an airport in Ukraine; and an underground railway in Kiev.

Kaspersky and British IT security company ESET have both mentioned links to NotPetya. However, they could not confirm a relation between the two strains. Kaspersky said:

‘Based on our investigation, this is a targeted attack against corporate networks, using methods similar to those used in the ExPetr [Kaspersky’s name for NotPetya] attack. However, we cannot confirm it is related to ExPetr.’

Rik Ferguson, VP of security research at Trend Micro, tweeted that the ‘outbreak’ has been blown out of proportion.

How Bad Rabbit Ransomware Works

Bad Rabbit spreads itself through downloads. It requires a target to take action to install the ransomware – which takes the form of a bogus Adobe Flash installer. Only targets of interest are being infected so far, with We Live Security noting:

“One of the distribution methods of Bad Rabbit is via drive-by download. Some popular websites are compromised and have JavaScript injected in their HTML body or in one of their .js file…

Server side logic can determine if the visitor is of interest and then add content to the page. In that case, what we have seen is that a popup asking to download an update for Flash Player is shown in the middle of the page.”

Once installed, the ransomware can move laterally within a network using SMB – similar to NotPetya. Malwarebytes said that the two strains were ‘probably prepared by the same authors’:

“Just like the previous edition, BadRabbit has an infector allowing for lateral movements, using SMB to propagate laterally with a hardcoded list of usernames and passwords. However, unlike NotPetya, it doesn’t use EternalBlue and is more widely spread. (Impacted countries include Ukraine, Russia, Turkey, and Bulgaria).”

The Latest Outbreak

SentinelOne’s chief security consultant, Tony Rowan, told us, “This latest outbreak confirms that attackers will reuse old code as long as it still has success. Indications are that this new variant continues to have success.”

Interestingly, Malwarebytes says that Bad Rabbit does not use EternalBlue to spread, while Rowan thinks it does. We have gone back to both for more information.

A vaccine, which involves creating c:\windows\infpub.dat and c:\windows\cscc.dat files, has been found, tested and confirmed by security researcher Amit Serper.

When infected, the virus redirects users to a TOR domain. This domain requires users a to pay .05 Bitcoin (about $280), with a countdown to an increase in price. It is not yet clear whether users will get their files back or if, like NotPetya, they will simply be destroyed. Infected users have been advised not to pay the ransom.

Researcher Kevin Beaumont discovered that the author(s) appear to be fans of Game of Thrones; BadRabbit creates scheduled tasks named after Daenerys Targaryen’s dragons, Drogon, Rhaegal and Viserion, as well as a reference to the Unsullied fighter Grey Worm (very different to the skin disease greyscale).

So far, Russia has seen two-thirds of infections, and just over 12 percent in Ukraine.