Carbon Black Threat Advisory & Analysis: 'Bad Rabbit' Ransomware
Main Advisory can be found at https://www.carbonblack.com/2017/10/24/threat-advisory-analysis-bad-rabbit-ransomware/
by BRIAN BASKIN
On 24 October, a large-scale campaign of ransomware attacks across Europe, in campaigns that closely mimicked the NotPetya attack from months ago. Just as was the case with NotPetya, the sample appeared to spread through the existing, and well-known, SMB vulnerabilities exploited by Eternal Blue. Additionally, as with NotPetya, the sample used more traditional methods of making SMB connections within a corporate environment, such as using local administrative shares.
Analysis is still ongoing, but initial views show that it is a variant of the NotPetya sample. It is not known yet if there is actual code re-use or if simply the tactics and strings were copied from analyzed versions of NotPetya. Just as NotPetya dropped a file named perfc.dat, and called it by an export ordinal value, this BadRabbit will drop a similar file named infpub.dat and call it using an almost identical method.
For instance, in the screenshot below, one routine from this initial BadRabbit is compared to the respective routine in NotPetya, with BadRabbit displayed on the right. There are very striking similarities in code, but also large differences. Notably, there is also a very basic attempt at obfuscation by using a Unicode stack string that resolves to “shutdown /r /t 0”.
The malware also has the ability to clear Windows event logs by using the Windows wevtutil command.
One major change seen in this malware, when being compared to NotPetya, is that the core Petya code is no longer present. Instead, the sample will drop the encryption system driver from the known legitimate DiskCryptor application. This sample will drop the encryption driver onto the local system as cscc.dat and then leverage it to perform disk encryption.
The final payment screen, shown over TOR, is insignificant to analysis but does highlight the added effort that adversaries place on making notable brands of malware:
ParaFlare offers Carbon Black products such as CB Protection, CB Response and CB Defense that are effective against this attack in multiple ways.
Possible mitigations include not only patching the known exploit, MS17-010, but also using Group Policy to disable local admin shares on systems.
News Articles and Resources