Bad Rabbit ransomware site up only for six hours

CISOs are holding their breath and hoping that the latest ransomware strain being detected in Eastern Europe and Russia isn’t the beginning of a widespread campaign.

The strain, dubbed Bad Rabbit, masquerades as an Adobe Flash update. So far the main way devices are infected is through a drive-by attack — that is by visiting a corrupted Web site whose HTML code or a .js file has been infected with JavaScript. These Web sites were in Russia, Bulgaria and Turkey. Victims were then redirected to a site that downloads the malware.

Since reports on the attack were raised Tuesday that site has been taken down. It apparently was live for only six hours.

Once inside a network Bad Rabbit spreads by collecting user credentials with the Mimikatz tool as well as using hard coded credentials, says Palo Alto Networks and Cisco Systems Talos threat intelligence service, for spreading across the network. Included is a list of common weak passwords (god, sex, secret. love, 123456, Admin123 etc.) the malware uses for testing logins.

According to Eset, victims include several transportation organizations in Ukraine and as well as some governmental organizations.

“This strain is not believed to have spread to North America as of yet,” said Sean Dillon, senior security researcher for RiskSense. “The overall infection rate is extremely low, even in comparison to malware that doesn’t have any of the worm capabilities that Bad Rabbit does. The initial infection vector occurs from a fake Flash update, which is common for malware, but also a manual process with generally low conversion rates.”
“While Bad Rabbit does have worm capabilities, it spreads using mostly legitimate methods of lateral movement across a Windows network. There are no real exploits, such as EternalBlue or EternalRomance, which were observed in the NotPetya and WannaCry ransomware worms earlier this year. These exploits were probably not used in this campaign as they are now well-known and monitored attack vectors.”

Bad Rabbbit appears to have some similarities to Nyetya, says Cisco Systems’ Talos threat intelligence blog, “in that it is also based on Petya ransomware. Major portions of the code appear to have been rewritten. The distribution does not appear to have the sophistication of the supply chain attacks we have seen recently.

The malware modifies the Master Boot Record (MBR) of the infected system’s hard drive to redirect the boot process into the malware authors code, which then displays the ransom note after a system reboot.

Image from Cisco Talos blog

This is yet another example of how effective ransomware can be delivered leveraging secondary propagation methods such as Windows SMB (server message block) to proliferate, says Talos. “In this example the initial vector wasn’t a sophisticated supply chain attack. Instead it was a basic drive-by-download leveraging compromised websites. This is quickly becoming the new normal for the threat landscape: Threats spreading quickly, for a short window, to inflict maximum damage.”

This threat also amplifies the importance of educating anyone who uses an Internet-connected device, adds Talos.  “In this attack the user needs to facilitate the initial infection. If a user doesn’t help the process along by installing the Flash update it would be benign and not wreak the devastation it has across the region. Once a user facilitates the initial infection the malware leverages existing methods, such as SMB, to propagate around the network without user interaction.”

Several vendors including Cisco, Paolo Alto Networks, Eset and others said their software quickly created rules, including blacklisting the distribution Web site, and protects against this particular exploit.

At this time there isn’t a known fix for machines that have been infected. Palo Alto Networks notes that multi-factor authentication (MFAcan stop the usage of valid credentials, which were potentially leveraged to infect additional systems across the network.

And, of course, the best defence against ransomware is off-site backup … and a practiced re-installation procedure.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now