(updated: 10/26/2017 with additional file hashes and mitigations)
A new ransomware campaign has affected at least three Russian media companies in a fast-spreading malware attack. Fontanka and Interfax are among the companies affected by the Bad Rabbit ransomware named by the researchers who first discovered it. The malware is delivered as fake Flash installer, it uses the SMB protocol to check hardcoded credentials. Bad Rabbit does not employ any exploits to gain execution or elevation of privilege. The Ukrainian computer emergency agency CERT-UA has issued an alert incident and mentioned that Odessa airport and Kiev subway were also affected. It is unsure whether this alert is regarding Bad Rabbit, but they suspect that it may be the start of a new wave of cyberattacks.
As mentioned earlier the ransomware is delivered as a drive-by attack from compromised websites. A file named “install_flash_player.exe” is dropped on the host by the website, the user needs to manually execute it. It is a bootkit-based ransomware similar to Petya/NotPetya. Upon execution it encrypts the files on the target machine, installs its own bootloader in MBR and schedules a reboot. After the system reboots it displays the ransom note to the user, and the OS does not boot.
Upon execution the file tries to gain privilege via the standard UAC prompt. After acquiring the privileges it creates a file under “C:\Windows*infpub.dat“. This file is executed using rundll32, and infpub.dat drops dispci.exe* under C:\Windows. This executable is responsible for encrypting the files and modifies the boot-loader. It is derived from DiskCryptor, an open-sourced full-disk encryption system for Windows. The ransomware schedules tasks with names rhaegal, drogon, viserion (Game of Thrones references).
Each infected machine is provided with a unique key or a bitcoin address. The user needs to connect to a hidden Tor service caforssztxqzf2nm[.]onion to pay the ransom. The website is titled BAD RABBIT hence the name of the ransomware. The user enters their public key or bitcoin address allotted by the ransomware. It also shows a timer counting down from 40 hours after which the price decryption will increase. Currently the ransom is 0.05 bitcoin which is valued at $284.00 as of 24-Oct-17 20:10:27 UTC. The ransomware encrypts over 100 different file extensions including .ppt, .pptx, .doc, .docx, etc.
Please update your endpoint security solution with the latest signature set (note: as of this publishing date only 31/66 anti-virus products have a detection for it, as per VirusTotal). Also make sure the machines on the network are patched with the latest fixes from Microsoft.
Additional mitigation steps:
– Disable WMI service if possible
– Block the execution of files C:\windows\infpub.dat and C:\Windows\cscc.dat (using GPO or other method)
– (New) Create a fake file C:\windows\infpub.dat and c:\windows\cscc.dat (the dropper looks for the presence of these files, if any exist, it does not infect the machine)
Ransomware attacks on user machines are more readily discovered as the malware presents a dialog to the user. For server machines or cloud instances, you might not know that the machine is infected and encrypted unless the system starts failing due to key files and applications being encrypted and not able to execute properly.
You can scan your network with QID 1043 to detect machines infected with Bad Rabbit.
The QID checks for the presence of of the following files on the target:
You can use Qualys Indication of Compromise to find machines on and off the network infected with Bad Rabbit using the following hashes.
You can search for the hashes in the Hunting menu or create a dashboard widget with the four file hashes above which will immediately display the total count of currently infected machines and machines newly infected.
Additional information on Bad Rabbit is on the Qualys Threat Protection blog.