On Tuesday morning, Oct. 24, 2017, organizations in Russia and Ukraine reported being hit with a ransomware outbreak that paralyzed their operations. Sporadic cases were also recorded in Turkey, Germany, Bulgaria and Japan, according to reports from different sources.

The malware, self-titled Bad Rabbit, is a ransomware code designed to encrypt and lock files on endpoints, then demand payment for their release. Bad Rabbit is also the name of a Dark Web site where victims are led to pay to have their files unlocked.

At the time of this writing, Bad Rabbit is understood to have mostly hit organizations in Russia. More specifically, it is breaking out on media outlets in the country. In statements delivered by some of the affected entities, it was reported that servers were down due to the ongoing attack.

In Ukraine, the attack hit critical infrastructure organizations in the transport sector. One of the victims is the Odessa airport, which is located in the third-largest city in the country, causing flight delays due to manual processing of passenger data. Ukraine also saw its subway system affected, causing payment delays on customer service terminals, although trains continued to run normally.

Bad Rabbit is the third disruptive ransomware outbreak this year, following the WannaCry and NotPetya worms that affected numerous organizations in the second quarter of 2017. That being said, Bad Rabbit’s propagation technique is not based on the same exploits, which may make it easier to contain overall.

Download the Ransomware Response Guide from IBM INCIDENT RESPONSE SERVICES

The Propagation of Bad Rabbit

Based on currently available information, unlike most financially motivated ransomware, Bad Rabbit does not spread via email. According to IBM X-Force, which analyzes billions of spam and malspam messages, Bad Rabbit was not sent in an email campaign. Some voices in the security community reckon that the outbreak is a targeted attack that may have been months in the making, but that’s yet to be confirmed.

To reach user endpoints, Bad Rabbit’s operators compromised news and media sites to have visitors redirected to malicious landing pages they control. On those pages, users were advised to install an Adobe Flash update, at which point a malicious download took place, delivering the malware dropper in what’s called a drive-by attack — not requesting any action to drop a file into the endpoint.

Those who went ahead and executed the file unknowingly unleashed the malware on their endpoints and saw their files encrypted. The malware operators’ note demands 0.05 BTC in ransom to unlock the files.

According to information from the security community, websites used to propagate the malware were hosted on the same servers that were used for distributing the NotPetya malware in June 2017. That network of predetermined websites was apparently being set up over time since July 2017.

A noteworthy mention by one security vendor reported that all companies were infected around the same time. That vendor speculated that attackers might already be in some of the victims’ systems. In that case, would the attackers not be able to launch the malware directly?

This question raises another option: Is it possible that at least one targeted email was sent to each victim with a lure to get them to one of the infected media sites in a watering hole-style attack? Once there was one infected user, the malware could have propagated onward from patient zero.

Moving Through Networks

Bad Rabbit spreads across networks using some tools to help it get to additional endpoints. According to IBM X-Force, the malware uses a Windows SMB feature, but it is unrelated to the method previously used by the EternalBlue exploit. Our researchers are also seeing the malware issue HTTP OPTIONS requests on port 80 for /admin$, suggesting the use of WebDAV as part of the scheme.

Moreover, Bad Rabbit appears to leverage the Mimikatz tool — which was built as a testing tool and not for malicious purposes, but is often used by attackers nonetheless — to retrieve the passwords of other users on the network. The malware also had some basic hardcoded passwords. Oddly enough, those were supposedly the most popular passwords used, according to the 1995 movie “Hackers.”

Payment Demand

Bad Rabbit demands 0.05 BTC in ransom to release the lock placed on encrypted files. At the time of this writing, 1 BTC goes for approximately $5,450, meaning that the initial ransom demand would be roughly $273. The ransom note appears on the infected endpoint’s screen, directing the user to access a dedicated web service.

Once on the attacker’s website, which is hosted on the Tor network to keep the communication anonymized, the victim is warned that he or she only has about 41 hours to pay. The victim is then shown a countdown clock that awaits a “password” — the decryption key to unlock his or her files. At the time of this notice, it has not been confirmed that the attackers can indeed decrypt the files.

An Ongoing Situation

The Bad Rabbit attacks are developing as security vendors release more information and organizations learn more and contain the attacks. If you’re an IBM customer, please browse to X-Force Exchange for a dedicated page on responding to the Bad Rabbit attacks with IBM Security products. For technical updates directly from IBM Security’s X-Force Research, please access our X-Force Exchange collection, where our research and incident response teams will provide information as this situation unfolds.

All organizations are strongly advised to inform employees about the outbreak, explain the flow of infection and remain extremely vigilant about Bad Rabbit in the coming hours and days.

Bad Rabbit has not affected companies in the U.S. as of the time of this release, although one antivirus vendor indicated that its telemetry is showing some infections in the U.S. Given this, if any sign of infection does occur, inform the FBI’s Internet Crime Complaint Center (IC3) upon discovering it.

Outside the U.S., organizations are encouraged to inform their Community Emergency Response Team (CERT) and e-crime police about any infections linked with the Bad Rabbit campaign.

If you believe your company has been impacted and you need assistance, please call your IBM X-Force 24×7 Incident Response Hotline:

IRIS EMEA 24×7 Hotline

UAE: (+971) 800 044 424 17

IRIS North America 24×7 Hotline

USA: (+1) 888 241 9812

Denmark: (+45) 4331 4987

Finland: (+358) 9725 22099

Latvia: (+371) 6616 3849

Norway: (+47) 2302 4798

Saudi Arabia: (+966) 800 844 3872

Saudi Arabia: (+966) 800 850 0399

Sweden: (+46) 8502 52313

UK: (+44) 20 3684 4872

Don’t Pay Ransomware Attackers

According to an IBM survey, 70 percent of businesses previously hit by ransomware indicated that they had paid the ransom to recover company data. Of that portion, 50 percent paid over $10,000, and 20 percent paid over $40,000. It’s important to note that paying attackers does not guarantee regaining access.

Organizations and individuals affected by Bad Rabbit are advised against paying the attackers. As of the time of this writing, antivirus vendors have released signatures and some decryption options that can help unlock encrypted files.

The attack was most likely designed for disruption rather than financial gain. More advice about containment and IBM product coverage will be made available in the coming hours.

For general advice on keeping your systems safe from ransomware, please review our Ransomware Response Guide.

More from Malware

Strela Stealer: Today’s invoice is tomorrow’s phish

12 min read - As of November 2024, IBM X-Force has tracked ongoing Hive0145 campaigns delivering Strela Stealer malware to victims throughout Europe - primarily Spain, Germany and Ukraine. The phishing emails used in these campaigns are real invoice notifications, which have been stolen through previously exfiltrated email credentials. Strela Stealer is designed to extract user credentials stored in Microsoft Outlook and Mozilla Thunderbird. During the past 18 months, the group tested various techniques to enhance its operation's effectiveness. Hive0145 is likely to be…

Hive0147 serving juicy Picanha with a side of Mekotio

17 min read - IBM X-Force tracks multiple threat actors operating within the flourishing Latin American (LATAM) threat landscape. X-Force has observed Hive0147 to be one of the most active threat groups operating in the region, targeting employee inboxes at scale, with a primary focus on phishing and malware distribution. After a 3-month break, Hive0147 returned in July with even larger campaign volumes, and the debut of a new malicious downloader X-Force named "Picanha,” likely under continued development, deploying the Mekotio banking trojan. Hive0147…

Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns

13 min read - As of March 2024, X-Force is tracking multiple ongoing ITG05 phishing campaigns featuring lure documents crafted to imitate authentic documents of government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America. The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production. Beginning in November 2023, X-Force observed ITG05…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today