UPDATE: October 27, 2017 09:00 GMT:
It’s been confirmed that BadRabbit also uses the EternalRomance exploit to spread. The blog has been updated with this information.
A new strain of ransomware called BadRabbit (Ransom.BadRabbit) began spreading yesterday, October 24, 2017, with the vast majority of infection attempts seen in Russia. However, because BadRabbit is self-propagating, and can spread across corporate networks, organizations should remain particularly vigilant.
Symantec customers are protected against BadRabbit activity.
How BadRabbit is spread
The initial infection method is through drive-by downloads on compromised websites. The malware is disguised as a fake update to Adobe Flash Player. The download originates from a domain named 1dnscontrol[dot]com, although visitors may have been redirected there from another compromised website.
Once installed on the victim’s computer, BadRabbit attempts to spread itself across their network via SMB (Server Message Block). In order to obtain the necessary credentials, BadRabbit comes packaged with a version of Mimikatz (Hacktool.Mimikatz) a hacking tool capable of changing privileges and recovering Windows passwords in plaintext. The malware also uses a hardcoded list of commonly used default credentials to attempt to guess passwords. In addition to this, it will attempt to exploit the EternalRomance vulnerability to spread to vulnerable computers.
BadRabbit first began spreading at around 10am UTC on October 24. Symantec telemetry indicates that the vast majority of infection attempts occurred in Russia in the two hours after it first appeared.
A small number of infection attempts have been logged in other countries. CERT-UA, the Ukrainian Computer Emergency Response Team, said there had been a “massive distribution” of BadRabbit in the country. An earlier bulletin from the agency said Odessa airport and Kiev subway had been affected by a cyber attack, but didn’t specify if BadRabbit had been involved.
Comparisons to Petya
BadRabbit has many similarities to the Petya (Ransom.Petya) outbreak of June 2017. Both malware families use a similar style of ransom note and employ a self-propagating spreading mechanism. Both threats also contain a component that targets the master boot record (MBR) of an infected computer, overwriting the existing MBR.
However, while Petya uses the EternalBlue and related EternalRomance exploits to spread in addition to classic SMB network spreading techniques, BadRabbit doesn’t use EternalBlue and only uses EternalRomance along with classic SMB spreading. Secondly, Petya was technically a wiper rather than ransomware, since there was no way of retrieving a decryption key. Our analysis of BadRabbit confirms that it is not a wiper and encrypted data is recoverable if the key is known.
One of the most notable aspects of BadRabbit is its use of at least three third-party open-source tools. Aside from Mimikatz, BadRabbit also uses the open-source encryption tool DiskCryptor to perform encryption. It also uses drivers from ReactOS, an open-source alternative to Windows, thus reducing the amount of detectable suspicious activity on an infected computer.
Once it is installed, BadRabbit will search for and encrypt all files bearing the extensions:
.3ds .7z .accdb .ai .asm .asp .aspx .avhd .back .bak .bmp .brw .c .cab .cc .cer .cfg .conf .cpp .crt .cs .ctl .cxx .dbf .der .dib .disk .djvu .doc .docx .dwg .eml .fdb .gz .h .hdd .hpp .hxx .iso .java .jfif .jpe .jpeg .jpg .js .kdbx .key .mail .mdb .msg .nrg .odc .odf .odg .odi .odm .odp .ods .odt .ora .ost .ova .ovf .p12 .p7b .p7c .pdf .pem .pfx .php .pmf .png .ppt .pptx .ps1 .pst .pvi .py .pyc .pyw .qcow .qcow2 .rar .rb .rtf .scm .sln .sql .tar .tib .tif .tiff .vb .vbox .vbs .vcb .vdi .vfd .vhd .vhdx .vmc .vmdk .vmsd .vmtm .vmx .vsdx .vsv .work .xls .xlsx .xml .xvd .zip
Unlike most ransomware infections, the encrypted files aren’t given a special extension. Instead, to check if they have been already processed, the ransomware appends a special marker at the end of an encrypted file, a unicode "encrypted" string.
Once individual files are encrypted, BadRabbit will then perform a full disk encryption. After the system is restarted, a ransom note is displayed, demanding a ransom of 0.05 Bitcoin (approximately US$280).
Be aware, be prepared
Organizations in particular are vulnerable to threats such as BadRabbit because of the infection mechanism they deploy. Once one computer on a network becomes infected, BadRabbit will attempt to copy itself to other computers on the network, which could potentially do serious damage to poorly secured networks. Although the threat largely appears to be confined to Russia at present, organizations should remain alert to the danger and ensure they are protected.
What are the details of Symantec's protection?
Symantec has the following protection in place to protect customers against these attacks:
SONAR behavior detection technology
Advanced Machine Learning
Network Protection Products
- Malware Analysis Appliance detects activity associated with BadRabbit
- Customers with Webpulse-enabled products are protected against activity associated with BadRabbit
Data Center Security Products
- Data Center Security Server anti-malware protects customers
- Data Center Security Server Advanced protects against the drive-by-download and Mimikatz