Bad Rabbit is a new ransomware currently spreading across Eastern Europe. News reports are saying that it is targeting mainly media organizations in Russia and infrastructure and transportation services in the Ukraine. Initial analysis shows that it bears some similarities to Petya, which was a ransomware caused widespread damage in June. BadRabbit uses an exploit that targets Server Message Block (SMB) vulnerabilities.
Here’s what we know:
I’m a Trend Micro customer, am I protected?
Yes, Trend Micro products with XGen™ security proactively detect this ransomware as TROJ.Win32.TRX.XXPE002FF019 without the need for a pattern update.
How does it infect users?
Bad Rabbit uses a typical watering hole attack. With several compromised sites it attempts to convince users to install a fake Flash installer. If clicked, the installer drops malicious files.
Figure 1. Infection chain of BadRabbit (click to enlarge)
How does it work?
The fake Flash installer drops several files that will encrypt files and shut down the victim’s machine.
The ransomware then modifies the system’s master boot record (MBR), displays a ransom note, and finally reboots the infected system again.
Three of the malicious files are named after dragons from the popular TV series Game of Thrones (rhaegal.job, drogon.job, viserion_23.job).
Figure 2. Bad Rabbit ransom note
Figure 3. Payment page showing the name Bad Rabbit
How does it spread?
It uses a dictionary attack to harvest credentials from the infected computer and tries to access computers from the same network and spread laterally.
Bad Rabbit also attempts to brute force any administrative shares it finds; if successful it drops a copy of itself into these shares.
If these bruteforce attacks fails, it uses an exploit targeting the Eternal Romance SMB vulnerability resolved in MS17-010. These vulnerabilities were patched in March of this year.
How can you protect yourself?
Keep your systems updated and patched. Cybercriminals often take advantage of known exploits, but patches from vendors come out regularly and can protect users from many attacks.
Habitually back up files. Ransomware distributors gain leverage by encrypting files and threatening you with data loss. If you have backups of the affected files, the cybercriminal loses this leverage.