On October 24th we observed notifications of mass attacks with ransomware called Bad Rabbit. It has been targeting organizations and consumers, mostly in Russia but there have also been reports of victims in Ukraine.
It bears similarities to the WannaCry and Petya outbreaks earlier this year.
When victims visit the following site, a dropper is downloaded:
After infection, the victim sees the following screen:
The ransomware is currently charging 0.05 Bitcoin; however, there is no confirmation that paying the ransom will result in a decryption key being provided.
A decryption site at the following .onion (Tor) domain displays the time that victims have left before the price goes up:
Price decodes up
Files with the following extensions are encrypted:
.3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf .der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key .mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx .php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff .vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.
The BadRabbit execution flow graphic below summarizes the technical details of the subsequent sections.
|cscc.dat||0b2f863f4119dc88a22cc97c0a136c88a0127cb026751303b045f7322a8972f6||DiskCryptor Driver (x64)|
The BadRabbit attack first begins when the victim receives and installs a fake Adobe Flash update.
The malware starts a command-line with following values:
Cmd /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR “C:\Windows\system32\cmd.exe /C Start \”\” \”C:\Windows\dispci.exe\” -id 1082924949 && exit”
“/TN rheagal” refers to a system account with the name rhaegal used to create the scheduled task and start the ransomware file dispci.exe. Rhaegal is likely a reference to a dragon from the popular TV show “Game of Thrones.” In fact, three dragon names—Rhaegal, Viserion, and Drogon—are used in relation to the following scheduled tasks:
The malware then uses the following commands to clear security logs and delete the update sequence number (USN) change journal, which is used to recover files, for example:
Cmd /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
The USN change journal provides a persistent log of all changes made to files on the volume, according to the Microsoft Developer Network. As files, directories, and other NTFS objects are added, deleted, and modified, NTFS enters records into the USN change journal, one for each volume on the computer. Each record indicates the type of change and the object changed. New records are appended to the end of the stream.
We also found a DNS query to ACA807(x)ipt.aol[.]com, in which the “##” is a two-digit hex number from 00-FF ACA807##.ipt.aol[.]com.
Game of Thrones Fans?
It is common for attackers to use pop-culture references in their attacks. These attackers seem to have an interest in “Game of Thrones,” with at least three references to the series. Viserion, Rhaegal, and Drogon are names of scheduled tasks. GrayWorm, the name of a “Game of Thrones” commander, is the product name in the binary’s EXIF data.
There are currently three samples associated with this ransomware campaign, representing the dropper and the main executable: