On Tuesday morning, Oct. 24, 2017, organizations in Russia and Ukraine reported being hit with a ransomware outbreak that paralyzed their operations. Sporadic cases were also recorded in Turkey, Germany, Bulgaria and Japan, according to reports from different sources.

The malware, self-titled Bad Rabbit, is a ransomware code designed to encrypt and lock files on endpoints, then demand payment for their release. Bad Rabbit is also the name of a Dark Web site where victims are led to pay to have their files unlocked.

At the time of this writing, Bad Rabbit is understood to have mostly hit organizations in Russia. More specifically, it is breaking out on media outlets in the country. In statements delivered by some of the affected entities, it was reported that servers were down due to the ongoing attack.

In Ukraine, the attack hit critical infrastructure organizations in the transport sector. One of the victims is the Odessa airport, which is located in the third-largest city in the country, causing flight delays due to manual processing of passenger data. Ukraine also saw its subway system affected, causing payment delays on customer service terminals, although trains continued to run normally.

Bad Rabbit is the third disruptive ransomware outbreak this year, following the WannaCry and NotPetya worms that affected numerous organizations in the second quarter of 2017. That being said, Bad Rabbit’s propagation technique is not based on the same exploits, which may make it easier to contain overall.

Download the Ransomware Response Guide from IBM INCIDENT RESPONSE SERVICES

The Propagation of Bad Rabbit

Based on currently available information, unlike most financially motivated ransomware, Bad Rabbit does not spread via email. According to IBM X-Force, which analyzes billions of spam and malspam messages, Bad Rabbit was not sent in an email campaign. Some voices in the security community reckon that the outbreak is a targeted attack that may have been months in the making, but that’s yet to be confirmed.

To reach user endpoints, Bad Rabbit’s operators compromised news and media sites to have visitors redirected to malicious landing pages they control. On those pages, users were advised to install an Adobe Flash update, at which point a malicious download took place, delivering the malware dropper in what’s called a drive-by attack — not requesting any action to drop a file into the endpoint.

Those who went ahead and executed the file unknowingly unleashed the malware on their endpoints and saw their files encrypted. The malware operators’ note demands 0.05 BTC in ransom to unlock the files.

According to information from the security community, websites used to propagate the malware were hosted on the same servers that were used for distributing the NotPetya malware in June 2017. That network of predetermined websites was apparently being set up over time since July 2017.

A noteworthy mention by one security vendor reported that all companies were infected around the same time. That vendor speculated that attackers might already be in some of the victims’ systems. In that case, would the attackers not be able to launch the malware directly?

This question raises another option: Is it possible that at least one targeted email was sent to each victim with a lure to get them to one of the infected media sites in a watering hole-style attack? Once there was one infected user, the malware could have propagated onward from patient zero.

Moving Through Networks

Bad Rabbit spreads across networks using some tools to help it get to additional endpoints. According to IBM X-Force, the malware uses a Windows SMB feature, but it is unrelated to the method previously used by the EternalBlue exploit. Our researchers are also seeing the malware issue HTTP OPTIONS requests on port 80 for /admin$, suggesting the use of WebDAV as part of the scheme.

Moreover, Bad Rabbit appears to leverage the Mimikatz tool — which was built as a testing tool and not for malicious purposes, but is often used by attackers nonetheless — to retrieve the passwords of other users on the network. The malware also had some basic hardcoded passwords. Oddly enough, those were supposedly the most popular passwords used, according to the 1995 movie “Hackers.”

Payment Demand

Bad Rabbit demands 0.05 BTC in ransom to release the lock placed on encrypted files. At the time of this writing, 1 BTC goes for approximately $5,450, meaning that the initial ransom demand would be roughly $273. The ransom note appears on the infected endpoint’s screen, directing the user to access a dedicated web service.

Once on the attacker’s website, which is hosted on the Tor network to keep the communication anonymized, the victim is warned that he or she only has about 41 hours to pay. The victim is then shown a countdown clock that awaits a “password” — the decryption key to unlock his or her files. At the time of this notice, it has not been confirmed that the attackers can indeed decrypt the files.

An Ongoing Situation

The Bad Rabbit attacks are developing as security vendors release more information and organizations learn more and contain the attacks. If you’re an IBM customer, please browse to X-Force Exchange for a dedicated page on responding to the Bad Rabbit attacks with IBM Security products. For technical updates directly from IBM Security’s X-Force Research, please access our X-Force Exchange collection, where our research and incident response teams will provide information as this situation unfolds.

All organizations are strongly advised to inform employees about the outbreak, explain the flow of infection and remain extremely vigilant about Bad Rabbit in the coming hours and days.

Bad Rabbit has not affected companies in the U.S. as of the time of this release, although one antivirus vendor indicated that its telemetry is showing some infections in the U.S. Given this, if any sign of infection does occur, inform the FBI’s Internet Crime Complaint Center (IC3) upon discovering it.

Outside the U.S., organizations are encouraged to inform their Community Emergency Response Team (CERT) and e-crime police about any infections linked with the Bad Rabbit campaign.

If you believe your company has been impacted and you need assistance, please call your IBM X-Force 24×7 Incident Response Hotline:

IRIS EMEA 24×7 Hotline

UAE: (+971) 800 044 424 17

IRIS North America 24×7 Hotline

USA: (+1) 888 241 9812

Denmark: (+45) 4331 4987

Finland: (+358) 9725 22099

Latvia: (+371) 6616 3849

Norway: (+47) 2302 4798

Saudi Arabia: (+966) 800 844 3872

Saudi Arabia: (+966) 800 850 0399

Sweden: (+46) 8502 52313

UK: (+44) 20 3684 4872

Don’t Pay Ransomware Attackers

According to an IBM survey, 70 percent of businesses previously hit by ransomware indicated that they had paid the ransom to recover company data. Of that portion, 50 percent paid over $10,000, and 20 percent paid over $40,000. It’s important to note that paying attackers does not guarantee regaining access.

Organizations and individuals affected by Bad Rabbit are advised against paying the attackers. As of the time of this writing, antivirus vendors have released signatures and some decryption options that can help unlock encrypted files.

The attack was most likely designed for disruption rather than financial gain. More advice about containment and IBM product coverage will be made available in the coming hours.

For general advice on keeping your systems safe from ransomware, please review our Ransomware Response Guide.

More from Malware

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today