Bad Rabbit Ransomware Spread Via Fake Flash Player Updates

Code

A new ransomware threat has been discovered, labelled Bad Rabbit ransomware, that has affected companies in Russia, Ukraine and Europe. Some Bad Rabbit ransomware attacks have been experiences in the United States and it is advised that healthcare organizations should take steps to address the threat.

There are some commonalities between Bad Rabbit ransomware and NotPetya, which was used in worldwide attacks in June. Some security researchers think that the new threat is a NotPetya variant, others have claimed it is more closely related to a ransomware variant labelled HDDCryptor. HDDCryptor was used in the ransomware attack on the San Francisco Muni in November 2016.

Regardless where the code originated, it is bad news for any organization that has an endpoint infected. Bad Rabbit ransomware encrypts files employing a combination of AES and RSA-2048, rendering files inaccessible. As with NotPetya, alterations are made to the Master Boot Record (MBR) further hampering data rescue. This new ransomware campaign is also capable of spreading quickly inside an information technology network.

The recent wave of attacks was initiated in Russia and Ukraine on October 24, with attacks also witnessed in Bulgaria, Germany, Turkey, and Japan. ESET and Kaspersky Lab have examined the new ransomware variant and have found that it is being spread by drive-by downloads, with the ransomware masquerading as a Flash Player update.

The hacker behind this latest campaign seem to have compromised the websites of several news and media agencies, which are being used to show warnings about an urgent Flash Player update. No exploits are thought to be involved. User interaction is needed to download and run the ransomware.

Users that believe to the Flash Player warning download a file titled “install_flash_player.exe.” Running that executable will download the ransomware. After files have been encrypted and the MBR has been altered, the ransomware reboots the infected device and the ransom note is shown.

The required ransom amount is 0.5 Bitcoin ($280) per infected computer. BadRabbit victims must pay the ransom in less than 40 hours or the ransom will begin to rise. Whether payment of the ransom allows files to be recovered has not been confirmed.

The ransomware is also spreading within networks via SMB. At first it was thought that no NSA exploits were used, instead, the ransomware scans for network shares and uses Mimikatz to harvest details. The ransomware also cycles through a list of commonly used usernames, passwords and credentials. If the correct details are found, a file called infpub.dat is dropped and executed using rundll.exe. This process allows the ransomware to spread rapidly within a network. However, researchers at Cisco Talos think that the ETERNALROMANCE NSA exploit has been incorporated. ETERNALROMANCE leverages the CVE-2017-0145 weakness.

Cisco Talos’ Martin Lee  said that “this is a different implementation of the EternalRomance exploit. It’s different code from what we saw used in NotPetya, but exploiting the same vulnerability in a slightly different implementation.”

There has been a minimum of 200 infections as of October 25, including institutions such as the Kiev Metro, Odessa International Airport in Ukraine, the Ministry of Infrastructure of Ukraine, and the Russian Interfax and Fontanka news agencies.