An outbreak of Bad Rabbit (also called Diskcoder), which uses similar codes with Petya and NotPetya ransomware, has been reported on October 25 in Eastern Europe. Bad Rabbit was responsible for a spate of recent attacks on three Russian websites as well as the underground railway system in Kiev, the capital of Ukraine. A small number in Germany, and Turkey have also fallen victim to the ransomware. AhnLab provides a detailed analysis of previously unseen form of ransomware which spread through Eastern Europe.
Bad Rabbit ransomware (also called Diskcoder) infects systems via the Windows data sharing protocol SMB.
The primary distribution method for this ransomware is via drive-by-download (DBD), and the initial dropper is disguised as an installation file for the Adobe Flash Player.
[Figure 1] Bad Rabbit ransomware file components and execution flow
The dropper shown in Figure 1 delivers a DLL file that carries out malicious activities, executing it via Rundll32.exe. When the payload is executed, a parameter value is given as shown in the table below; the value of “15” is used to determine the time parameter when the malware issues a reboot command later.
The DLL that is run as shown above perform the following functions:
- File encryption
- Lateral distribution via network
- Dropping files for MBR modification and boot partition encryption
2. Activities: MBR Modification
The file for modifying the MBR and encrypting the boot partition is dropped from infpub.dat as indicated above. As shown in Figure 2, the resource section in the file contains the data used for modifying the MBR, which is read in and overwritten onto the original file to corrupt the MBR.
[Figure 2] Data for MBR modification in the resource section of dispci.exe
After the modification is complete, the original MBR is backed up onto the boot partition; a public key is used to encrypt the user information and AES key value.
3. Activities: Boot Prtition Encryption
cscc.dat is a driver file of open-source partition encryption solution. It is loaded after the system is rebooted, then activated
The main payload dispci.exe, as noted above, uses DeviceloControl API to send ControlCode to the driver to control the file, performing the encryption of the boot partition.
[Figure 3] Section of the program where dispci.exe uses cscc.dat (dcrypt)
The infpub.dat mentioned earlier reads in the given value of “15” and the time of file execution, using the calculate value as the amount of time allowed to elapse (in minutes) before the system is rebooted. After the initial reboot, the driver file is loaded and run.
The scheduled task performs a single reboot, and Figure 4 shown below is the screen that is displayed after the MBR and boot partition are fully modified and encrypted, and the system is rebooted.
[Figure 4] Screen after system reboot
4. Activities: File Encryption
The main feature of ransomware is the encryption of the infected system’s files, and Bad Rabbit is no exception as it targets files for encryption based on their extensions. The AES key is generated via the CryptGenRandom API and a special routine, and the public key is hard-coded in the program.
[Figure 5] Hard-coded public key
5 Activities: Demanding Ransom
When it encrypts all the targeted files, it displays ransom note.
6. Activities: Account Information Theft (Mimikatz)]
In addition to the activities outlined above, Bad Rabbit attempts to obtain account information. It creates a [RandomNumber].tmp file to acquire the credentials for remote access.
7. Activities: Internal Proliferation via ADMIN$ and SMB
Bad Rabbit uses the ADMIN$ share folder and the SMB vulnerability to further propagate itself.
To use the SMB exploit, the ransomware reads the 139 and 445 ports and attempts to access the network using usernames and passwords for an IPC$ connection. Once authenticated, the malware begins copying files through ADMIN$.
The table below is partial list of the predefined usernames and passwords used by Bad Rabbit to try to force itself in:
Since Bad Rabbit infects and proliferates via SMB, it is recommended to configure a strong password if you have to use a sharing folder.
The Bad Rabbit (also called DiskCoder) aliases identified by AhnLab’s security solutions are as below:
<Aliases identified by AhnLab V3>
- Trojan/Win32.Diskcoder (2017.10.25.04)
- Trojan/Win64.WinCred (2017.10.25.04)
- Trojan/Win32.WinCred (2017.10.25.04)
<Aliases identified by AhnLab MDS>
- Trojan/Win32.Diskcoder (signature-based detection)
- Malware/MDP.SystemManipulation (behavior-based detection)