ngCERT Advisory on BadRabbit Ransomware
Date: 27 October, 2017
A new strain of ransomware called BadRabbit (Ransom.BadRabbit) is reported to have struck organizations, with the vast majority of infection attempts on computers seen in Russia and Ukraine. The ransomware bears similarities to the WannaCry and Petya outbreaks which were reported to have caused damages worth over billions of pounds around the world earlier this year. However, because BadRabbit is self-propagating, and can spread across corporate networks, organizations are advised to remain particularly vigilant.
DESCRIPTION AND CONSEQUENCES
The initial infection method is through drive-by downloads on compromised websites. The malware is disguised as a fake update to Adobe Flash Player. The download originates from a domain named 1dnscontrol[dot]com, although visitors may have been redirected there from another compromised website. Once installed on the victim’s computer, BadRabbit attempts to spread itself across their network via SMB (Server Message Block). In order to obtain the necessary credentials, BadRabbit comes packaged with a version of Mimikatz (Hacktool.Mimikatz) a hacking tool capable of changing privileges and recovering Windows passwords in plaintext. The malware also uses a hardcoded list of commonly used default credentials to attempt to guess passwords.
Once individual files are encrypted, BadRabbit will then perform a full disk encryption. After the system is restarted, a ransom note is displayed, demanding a ransom of 0.05 Bitcoin (approximately US$280) as shown below.
Figure above shows message popup on an infected system
On a general note, it is advisable to always backup your data. In addition, never attempt to pay the ransom as payment does not guarantee that your files will be recovered. By not paying the ransom, you discourage future ransomware attacks. However, stakeholders are advised to do the following in order to remain safe:
1. Create a file called “c:\windows\infpub.dat“ and remove all write permissions for it. This should keep the malware from encrypting your files.
2. Disable the Windows Management Instrumentation (WMI) service to prevent the malware from spreading across the network.
3. Block execution of files like “C:\windows\infopub.dat” and “C:\windows\cscc.dat”.
If an infected computer is identified, power-off the system using the hardware power switch on the computer and promptly report the incident to this email address: firstname.lastname@example.org or through the “Report an Incident” icon available at www.cert.gov.ng.