Bad Rabbit ransomware
This report contains a detailed analysis of the ransomware and its distribution campaign as well as the recommendations for infection prevention and the list of indicators of compromise.
The key features of the Bad Rabbit attacks are as follows:
- It infects the clients of previously hacked legitimate websites
- Disguises as an Adobe Flash Player update
- Uses mimikatz for obtaining passwords for privileged accounts directly from RAM of the infected systems
- Distributes within the local network using SMB+WMI, SMB+SCM
- Uses the MS17-010 (eternalromance) vulnerability for distribution in the local network
- Encrypts files and Windows partitions
- Uses DiskCryptor for encryption
- Decrypts the data with the key
Summarizing the results of the analysis, the scheme of Bad Rabbit attack can be displayed as follows:
In order to prevent infection, we suggest taking the following measures:
- Through the domain security policy, prohibit the launch and creation of the files "C:\Windows\infpub.dat" and "C:\Windows\cscc.dat"
- Create empty files "C:\Windows\infpub.dat" and "C:\Windows\cscc.dat" with read-only attributes
- Install the latest security updates for your operating system
infpub.dat:
MD5: 1d724f95c61f1055f0d02c2154bbccd3
SHA-1: 79116fe99f2b421c52ef64097f0f39b815b20907
SHA-256: 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648
dispci.exe:
MD5: b14d8faf7f0cbcfad051cefe5f39645f
SHA-1: afeee8b4acff87bc469a6f0364a81ae5d60a2add
SHA-256: 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93
install_flash_player.exe:
MD5: fbbdc39af1139aebba4da004475e8839
SHA-1: de5c8d858e6e41da715dca1c019df0bfb92d32c0
SHA-256: 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
cscc.dat: DiskCryptor legitimate utility (x86)
MD5: b4e6d97dafd9224ed9a547d52c26ce02
SHA-1: 59cd4907a438b8300a467cee1c6fc31135757039
SHA-256: 682adcb55fe4649f7b22505a54a9dbc454b4090fc2bb84af7db5b0908f3b7806
cscc.dat: DiskCryptor legitimate utility (x64)
MD5: edb72f4a46c39452d1a5414f7d26454a
SHA-1: 08f94684e83a27f2414f439975b7f8a6d61fc056
SHA-256: 0b2f863f4119dc88a22cc97c0a136c88a0127cb026751303b045f7322a8972f6
Mimikatz module with functional capabilities (x86):
MD5: 37945c44a897aa42a66adcab68f560e0
SHA-1: 16605a4a29a101208457c47ebfde788487be788d
SHA-256: 2f8c54f9fa8e47596a3beff0031f85360e56840c77f71c6a573ace6f46412035
Mimikatz module with functional capabilities (x64):
MD5: 347ac3b6b791054de3e5720a7144a977
SHA-1: 413eba3973a15c1a6429d9f170f3e8287f98c21c
SHA-256: 301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c
URLs: 1dnscontrol[.]com