31 October 2017

Bad Rabbit ransomware

On October 24, 2017, our experts detected several cases of Bad Rabbit ransomware attacks. Amongst victims were established Russian media portals Interfax and Fontanka, as well as the airport in Odessa, Ukraine.

This report contains detailed analysis of the ransomware and its distribution campaign as well as the recommendations for infection prevention and the list of indicators of compromise.

Key features of Bad Rabbit attack are:

  • Infects clients of previously hacked legitimate websites;
  • Disguises as an Adobe Flash Player update;
  • Uses mimikatz for obtaining passwords for privileged accounts directly from RAM of the infected systems;
  •  Distributes within the local network using SMB+WMI, SMB+SCM;
  • Uses MS17-010 (eternalromance) vulnerability for distribution in the local network;
  • Encrypts files and Windows partition;
  • Uses DiskCryptor for encryption;
  • Decrypts the data with the key.

Summarizing the results of the analysis, the scheme of Bad Rabbit attack can be displayed as the following:



In order to prevent infection, we suggest taking the following measures:

  • Through domain security policy, prohibit the launch and creation of the files “C:\Windows\infpub.dat” and “C:\Windows\cscc.dat”;
  • Create empty files “C:\Windows\infpub.dat” and “C:\Windows\cscc.dat” with the rights “only for reading”;
  • Install the latest security updates for your operating system.

Indicators of compromise

MD5: 1d724f95c61f1055f0d02c2154bbccd3  
SHA-1: 79116fe99f2b421c52ef64097f0f39b815b20907 
SHA-256: 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

MD5: b14d8faf7f0cbcfad051cefe5f39645f
SHA-1: afeee8b4acff87bc469a6f0364a81ae5d60a2add
SHA-256: 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93

MD5: fbbdc39af1139aebba4da004475e8839
SHA-1: de5c8d858e6e41da715dca1c019df0bfb92d32c0
SHA-256: 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

cscc.dat: legitimate utility DiskCryptor (x86) 

MD5: b4e6d97dafd9224ed9a547d52c26ce02
SHA-1: 59cd4907a438b8300a467cee1c6fc31135757039
SHA-256: 682adcb55fe4649f7b22505a54a9dbc454b4090fc2bb84af7db5b0908f3b7806

cscc.dat: legitimate utility DiskCryptor (x64)   

MD5: edb72f4a46c39452d1a5414f7d26454a
SHA-1: 08f94684e83a27f2414f439975b7f8a6d61fc056
SHA-256: 0b2f863f4119dc88a22cc97c0a136c88a0127cb026751303b045f7322a8972f6

Module with functional capabilities Mimikatz (x86):
MD5: 37945c44a897aa42a66adcab68f560e0
SHA-1: 16605a4a29a101208457c47ebfde788487be788d
SHA-256: 2f8c54f9fa8e47596a3beff0031f85360e56840c77f71c6a573ace6f46412035

Module with functional capabilities Mimikatz (x64):
MD5: 347ac3b6b791054de3e5720a7144a977
SHA-1: 413eba3973a15c1a6429d9f170f3e8287f98c21c
SHA-256: 301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

URLs: 1dnscontrol[.]com