Bad Rabbit is a latest ransomware attack that was spread mainly in Russia in 2017. Especially it targeted organizations and consumers, it was falling on the media outlets in the country. Servers were down during this time due to this attack. It encrypts end device’s files and demands a payment to decrypt them. Specifically, Malware operators asked for 0.05 BTC to decrypt those affected files. This ransomware used DiskCryptor software to encrypt files on attacked computers.
This was distributed using drive-by attacks.
Drive-by attacks
install a malicious code into HTTP or PHP code on one of the pages in insecure websites. It can install malware directly into the end device.
How to Detect the Ransomware
It used a fake adobe flash installer while end user visits an insecure website. The victim has to execute the malware unwittingly by himself to the end device. After doing so malware can self-propagate across a network. In Ukraine, Bad Rabbit ransomware attacked core infrastructure of transport side. There were airport delays at Odessa airport because all the passenger details had to processed manually also it affected subway systems due to payment delays on customer service terminals.
After dropper has been installed, files will get encrypted then above message will display on the screen of the end device. It directs the user to access the particular website. Then victim will warn by giving a countdown of a time that he should pay the asked price before the time to get the key to decrypt files.
How the exploitation happens
Bad Rabbit exploitation is done by using the EternalRomance RCE exploitation method. This method takes advantages of a flaw in Microsoft’s Windows Server Message Block (SMB). By this, it can transfer data between connected computers and thereby activate remote code execution. It also has a code that allows remote hackers to easily propagate to another computer from an infected computer. Bad rabbit can exploit both windows management instrumentation command-line (WMIC) and Server Management Block.
As mentioned earlier malicious dropper needs to be manually installed by the end user. After that malicious DLL (Dynamic Link Library) will be saved as ‘infpub.dat’. Then it will install the malicious file ‘dispci.exe’ into windows and create a task to launch the ransomware and also it finds the invaded computer’s data files and encrypt them using public RSA-2048 key, On the other hand, it will install a modified bootloader to victim’s computer to prevent it from running the normal boot process. DiskCryptor driver ‘dcrypt.sys’ encrypt the partitions of the infected computer’s disk using the AES cipher in XTS mode.
How to Prevent the ransomware
- Keeping the system’s antivirus software up-to-date (If the system does not have one installed in it, install one first.)
- Avoid downloading or executing any updates from Adobe Flash because of the source of this ransomware lies in Adobe Flash updates. Make sure to download Adobe updates and software directly from the service provider of Adobe.
- As a safeguard make sure to back up all the data in the system (regularly).
- Use a web filtering mechanism to block any malicious courses. Make sure to check emails received twice before opening any files attached to them. Moreover, to avoid receiving such emails implementing multilayered security solutions is a way of preventing bad rabbit.
How to take actions after the attack
- To stop distribution of this attack over the network, try disabling the WMI service.
- If the fake updates of Adobe Flash were accidentally downloaded, avoid executing any files that have the path c:\windows\cscc.dat and c:\windows\infpub.dat. To block execution of these files better user GPO or any other method. The other thing is creating fake file paths i.e. c:\windows\cscc.dat and c:\windows\infpub.dat in the machine because it will look for the existence of these two files before infecting the system.
- As mitigations to SMB, vulnerability US-CERT recommends users to disable SMBv1 and block any of these versions of SMB i.e. 137,138,139,389,445,901 and other service-related ports. In case of a need for a SMB service, it is necessary to use strong passwords and make sure to change the password time to time.
- In addition, remember not to store credentials as cookies.
This particular article previously done as a survey to a university(SLIIT) by me and another colleague as undergraduates. All the information are genuine and not cited as it is from any website.
