On Tuesday morning, Oct. 24, 2017, organizations in Russia and Ukraine reported being hit with a ransomware outbreak that paralyzed their operations. Sporadic cases were also recorded in Turkey, Germany, Bulgaria and Japan, according to reports from different sources.
The malware, self-titled Bad Rabbit, is a ransomware code designed to encrypt and lock files on endpoints, then demand payment for their release. Bad Rabbit is also the name of a Dark Web site where victims are led to pay to have their files unlocked.
At the time of this writing, Bad Rabbit is understood to have mostly hit organizations in Russia. More specifically, it is breaking out on media outlets in the country. In statements delivered by some of the affected entities, it was reported that servers were down due to the ongoing attack.
In Ukraine, the attack hit critical infrastructure organizations in the transport sector. One of the victims is the Odessa airport, which is located in the third-largest city in the country, causing flight delays due to manual processing of passenger data. Ukraine also saw its subway system affected, causing payment delays on customer service terminals, although trains continued to run normally.
Bad Rabbit is the third disruptive ransomware outbreak this year, following the WannaCry and NotPetya worms that affected numerous organizations in the second quarter of 2017. That being said, Bad Rabbit’s propagation technique is not based on the same exploits, which may make it easier to contain overall.
Download the Ransomware Response Guide from IBM INCIDENT RESPONSE SERVICES
The Propagation of Bad Rabbit
Based on currently available information, unlike most financially motivated ransomware, Bad Rabbit does not spread via email. According to IBM X-Force, which analyzes billions of spam and malspam messages, Bad Rabbit was not sent in an email campaign. Some voices in the security community reckon that the outbreak is a targeted attack that may have been months in the making, but that’s yet to be confirmed.
To reach user endpoints, Bad Rabbit’s operators compromised news and media sites to have visitors redirected to malicious landing pages they control. On those pages, users were advised to install an Adobe Flash update, at which point a malicious download took place, delivering the malware dropper in what’s called a drive-by attack — not requesting any action to drop a file into the endpoint.
Those who went ahead and executed the file unknowingly unleashed the malware on their endpoints and saw their files encrypted. The malware operators’ note demands 0.05 BTC in ransom to unlock the files.
According to information from the security community, websites used to propagate the malware were hosted on the same servers that were used for distributing the NotPetya malware in June 2017. That network of predetermined websites was apparently being set up over time since July 2017.
A noteworthy mention by one security vendor reported that all companies were infected around the same time. That vendor speculated that attackers might already be in some of the victims’ systems. In that case, would the attackers not be able to launch the malware directly?
This question raises another option: Is it possible that at least one targeted email was sent to each victim with a lure to get them to one of the infected media sites in a watering hole-style attack? Once there was one infected user, the malware could have propagated onward from patient zero.
Moving Through Networks
Bad Rabbit spreads across networks using some tools to help it get to additional endpoints. According to IBM X-Force, the malware uses a Windows SMB feature, but it is unrelated to the method previously used by the EternalBlue exploit. Our researchers are also seeing the malware issue HTTP OPTIONS requests on port 80 for /admin$, suggesting the use of WebDAV as part of the scheme.
Moreover, Bad Rabbit appears to leverage the Mimikatz tool — which was built as a testing tool and not for malicious purposes, but is often used by attackers nonetheless — to retrieve the passwords of other users on the network. The malware also had some basic hardcoded passwords. Oddly enough, those were supposedly the most popular passwords used, according to the 1995 movie “Hackers.”
Payment Demand
Bad Rabbit demands 0.05 BTC in ransom to release the lock placed on encrypted files. At the time of this writing, 1 BTC goes for approximately $5,450, meaning that the initial ransom demand would be roughly $273. The ransom note appears on the infected endpoint’s screen, directing the user to access a dedicated web service.
Once on the attacker’s website, which is hosted on the Tor network to keep the communication anonymized, the victim is warned that he or she only has about 41 hours to pay. The victim is then shown a countdown clock that awaits a “password” — the decryption key to unlock his or her files. At the time of this notice, it has not been confirmed that the attackers can indeed decrypt the files.
An Ongoing Situation
The Bad Rabbit attacks are developing as security vendors release more information and organizations learn more and contain the attacks. If you’re an IBM customer, please browse to X-Force Exchange for a dedicated page on responding to the Bad Rabbit attacks with IBM Security products. For technical updates directly from IBM Security’s X-Force Research, please access our X-Force Exchange collection, where our research and incident response teams will provide information as this situation unfolds.
All organizations are strongly advised to inform employees about the outbreak, explain the flow of infection and remain extremely vigilant about Bad Rabbit in the coming hours and days.
Bad Rabbit has not affected companies in the U.S. as of the time of this release, although one antivirus vendor indicated that its telemetry is showing some infections in the U.S. Given this, if any sign of infection does occur, inform the FBI’s Internet Crime Complaint Center (IC3) upon discovering it.
Outside the U.S., organizations are encouraged to inform their Community Emergency Response Team (CERT) and e-crime police about any infections linked with the Bad Rabbit campaign.
If you believe your company has been impacted and you need assistance, please call your IBM X-Force 24×7 Incident Response Hotline:
IRIS EMEA 24×7 Hotline
UAE: (+971) 800 044 424 17
IRIS North America 24×7 Hotline
USA: (+1) 888 241 9812
Denmark: (+45) 4331 4987
Finland: (+358) 9725 22099
Latvia: (+371) 6616 3849
Norway: (+47) 2302 4798
Saudi Arabia: (+966) 800 844 3872
Saudi Arabia: (+966) 800 850 0399
Sweden: (+46) 8502 52313
UK: (+44) 20 3684 4872
Don’t Pay Ransomware Attackers
According to an IBM survey, 70 percent of businesses previously hit by ransomware indicated that they had paid the ransom to recover company data. Of that portion, 50 percent paid over $10,000, and 20 percent paid over $40,000. It’s important to note that paying attackers does not guarantee regaining access.
Organizations and individuals affected by Bad Rabbit are advised against paying the attackers. As of the time of this writing, antivirus vendors have released signatures and some decryption options that can help unlock encrypted files.
The attack was most likely designed for disruption rather than financial gain. More advice about containment and IBM product coverage will be made available in the coming hours.
For general advice on keeping your systems safe from ransomware, please review our Ransomware Response Guide.
Principal Consultant, X-Force Cyber Crisis Management, IBM