“Bad Rabbit” Ransomware Spreads Quickly, Exploits SMBv1 Vulnerability

A ransomware variant, dubbed Bad Rabbit, began spreading quickly on Tuesday, primarily impacting Eastern European government agencies and private businesses, including the Odessa airport and Ukraine’s Kiev subway system, the Ukrainian Ministry of Infrastructure, three Russian news agencies, and several organizations in Bulgaria and Turkey, with a small percentage of infections detected in the US. Bad Rabbit infects systems by masquerading as an Adobe Flash update that attempts to install onto users’ systems after they visit a compromised website. A variety of these compromised websites were observed redirecting users to another website that hosted the fraudulent Flash Update package. Once the malicious file is installed, Bad Rabbit begins encrypting files and then overwrites the Master Boot Record (MBR) with the ransom note and reboots the system. It also spreads laterally though the network via vulnerable and unpatched SMBv1 ports – the same method used by the WannaCry and NotPetya variants – after using Mimikatz to extract login credentials from the infected system’s memory. Security analysts believe Bad Rabbit’s code could be based on DiskCryptor, an open-source disk encryption utility, similar to the HDDCryptor variant that impacted San Francisco’s public transit system last year. Bad Rabbit does not append new extensions to the names of encrypted files, as is typical with most ransomware variants, but appends the file marker string encryptedto the end of every encrypted file. The NJCCIC recommends organizations review the ESET,Trend Micro, and Talos reports and educate employees about ransomware and similar cyber threats. Additionally, we recommend all organizations implement a robust data backup process that safeguards any data considered valuable or critical to the organization. Data backups must be stored offline—disconnected from the network—and tested regularly to confirm their integrity. For users and administrators of Microsoft Windows Defender Antivirus, we recommend updating to version 1.255.29.0 or higher as it will now detect and remove Bad Rabbit infections. For users and administrators of Windows systems who have not yet applied Microsoft security patch MS17-010 to their systems, we recommend doing so as soon as possible to prevent the spread of malware that exploits this vulnerability. A comprehensive list of ransomware mitigation strategies is available in the NJCCIC's Ransomware Threat Profile