Detection and Prevention of Bad Rabbit Ransomware

Summary

There have been numerous reports of a new ransomware outbreak called BadRabbit, which started to spread via “drive-by” download attacks of infected sites imitating a fake Adobe Flash update. Once the malicious “update” is installed, BadRabbit encrypts files/file systems and spreads laterally to other machines connected to the local network via SMB. Similar to Petya/NotPetya, BadRabbit encrypts your files and also your entire file system using DiskCryptor, a legitimately free and open-source program used to encrypt hard drives including the partition where Windows is installed.

BadRabbit primarily targeted Russia and Ukraine, but now it is believed that the ransomware has spread to the US and other parts of the world.  Security researchers initially suspected that it utilized EternalBlue exploits, however, there is no concrete evidence and it is still being researched. (UPDATE 10/26/17: According to Cisco Talos, an implementation of EternalRomance was used to allow the attacker to read/write arbitrary data into the kernel memory space)

BadRabbit appears to have its own SMB implementation and uses an imbedded version of Mimikatz (similar to what we saw in the Nyetya campaign in late June 2017) to steal account credentials. It also utilizes a very poor default account credential list, which can be seen here: https://pastebin.com/01C05L0C.

Indicators of Compromise

• The presence of DECRYPT.lnk on the desktop; this is used to decrypt the filesystem with a code supplied upon paying the ransom
• The presence of files C:\Windows\incpub.dat and C:\Windows\cscc.dat
• The presence of Windows scheduled tasks (named after dragons from the TV show Game of Thrones); rhaegal, viserion, drogon
• The presence of file hashes or network traffic to IP addresses or domains contained in our OTX pulse; https://otx.alienvault.com/pulse/59f08c953db003095704fcb2/
• In addition to any of the above, suspicious windows event log activity for Event 1102 (clearing of the audit log) and Event 106 (creation of a scheduled task)

Further Technical Details

Decrypt.lnk placed on the desktop

TOR payment page

Detection

• Traffic or file system artifacts that match the indicators contained in our OTX pulse will produce a high severity alarm
• Cross-correlation of OTX activity with suspicious event log activity (Event 1102 and Event 106)
• Logical correlation of NIDS traffic to ET signatures 2024905, 2024906, and 2024910 via AV directive

Prevention

• Lookout for and avoid fake/suspicious Adobe Flash update notifications
• Report any suspicious or questionable activity (such as webpages hosting flash player updates) to the SOC
• If you use Windows Defender, ensure that it is to at least version 1.255.29.0 as new definitions can detect BadRabbit according to Microsoft threat bulletin https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Tibbar.A
• If you have the capability to block the execution of files, block C:\Windows\infpub.dat and C:\Windows\cscc.dat
• If it’s possible in your environment, block or restrict the WMI services to prevent the malware from spreading throughout the network (Test and QA accordingly)
• Lastly, it is possible to manually “vaccinate” a computer by creating files C:\Windows\infpub.dat and C:\Windows\cscc.dat and remove all file permissions from those files including inheritance

Incident Response and Recovery

• Maintain good data backups
• Report any suspicious or questionable activity to the SOC
• Don’t pay the ransom