On Tuesday morning, Oct. 24, 2017, organizations in Russia and Ukraine reported being hit with a ransomware outbreak that paralyzed their operations. Sporadic cases were also recorded in Turkey, Germany, Bulgaria and Japan, according to reports from different sources.

The malware, self-titled Bad Rabbit, is a ransomware code designed to encrypt and lock files on endpoints, then demand payment for their release. Bad Rabbit is also the name of a Dark Web site where victims are led to pay to have their files unlocked.

At the time of this writing, Bad Rabbit is understood to have mostly hit organizations in Russia. More specifically, it is breaking out on media outlets in the country. In statements delivered by some of the affected entities, it was reported that servers were down due to the ongoing attack.

In Ukraine, the attack hit critical infrastructure organizations in the transport sector. One of the victims is the Odessa airport, which is located in the third-largest city in the country, causing flight delays due to manual processing of passenger data. Ukraine also saw its subway system affected, causing payment delays on customer service terminals, although trains continued to run normally.

Bad Rabbit is the third disruptive ransomware outbreak this year, following the WannaCry and NotPetya worms that affected numerous organizations in the second quarter of 2017. That being said, Bad Rabbit’s propagation technique is not based on the same exploits, which may make it easier to contain overall.

Download the Ransomware Response Guide from IBM INCIDENT RESPONSE SERVICES

The Propagation of Bad Rabbit

Based on currently available information, unlike most financially motivated ransomware, Bad Rabbit does not spread via email. According to IBM X-Force, which analyzes billions of spam and malspam messages, Bad Rabbit was not sent in an email campaign. Some voices in the security community reckon that the outbreak is a targeted attack that may have been months in the making, but that’s yet to be confirmed.

To reach user endpoints, Bad Rabbit’s operators compromised news and media sites to have visitors redirected to malicious landing pages they control. On those pages, users were advised to install an Adobe Flash update, at which point a malicious download took place, delivering the malware dropper in what’s called a drive-by attack — not requesting any action to drop a file into the endpoint.

Those who went ahead and executed the file unknowingly unleashed the malware on their endpoints and saw their files encrypted. The malware operators’ note demands 0.05 BTC in ransom to unlock the files.

According to information from the security community, websites used to propagate the malware were hosted on the same servers that were used for distributing the NotPetya malware in June 2017. That network of predetermined websites was apparently being set up over time since July 2017.

A noteworthy mention by one security vendor reported that all companies were infected around the same time. That vendor speculated that attackers might already be in some of the victims’ systems. In that case, would the attackers not be able to launch the malware directly?

This question raises another option: Is it possible that at least one targeted email was sent to each victim with a lure to get them to one of the infected media sites in a watering hole-style attack? Once there was one infected user, the malware could have propagated onward from patient zero.

Moving Through Networks

Bad Rabbit spreads across networks using some tools to help it get to additional endpoints. According to IBM X-Force, the malware uses a Windows SMB feature, but it is unrelated to the method previously used by the EternalBlue exploit. Our researchers are also seeing the malware issue HTTP OPTIONS requests on port 80 for /admin$, suggesting the use of WebDAV as part of the scheme.

Moreover, Bad Rabbit appears to leverage the Mimikatz tool — which was built as a testing tool and not for malicious purposes, but is often used by attackers nonetheless — to retrieve the passwords of other users on the network. The malware also had some basic hardcoded passwords. Oddly enough, those were supposedly the most popular passwords used, according to the 1995 movie “Hackers.”

Payment Demand

Bad Rabbit demands 0.05 BTC in ransom to release the lock placed on encrypted files. At the time of this writing, 1 BTC goes for approximately $5,450, meaning that the initial ransom demand would be roughly $273. The ransom note appears on the infected endpoint’s screen, directing the user to access a dedicated web service.

Once on the attacker’s website, which is hosted on the Tor network to keep the communication anonymized, the victim is warned that he or she only has about 41 hours to pay. The victim is then shown a countdown clock that awaits a “password” — the decryption key to unlock his or her files. At the time of this notice, it has not been confirmed that the attackers can indeed decrypt the files.

An Ongoing Situation

The Bad Rabbit attacks are developing as security vendors release more information and organizations learn more and contain the attacks. If you’re an IBM customer, please browse to X-Force Exchange for a dedicated page on responding to the Bad Rabbit attacks with IBM Security products. For technical updates directly from IBM Security’s X-Force Research, please access our X-Force Exchange collection, where our research and incident response teams will provide information as this situation unfolds.

All organizations are strongly advised to inform employees about the outbreak, explain the flow of infection and remain extremely vigilant about Bad Rabbit in the coming hours and days.

Bad Rabbit has not affected companies in the U.S. as of the time of this release, although one antivirus vendor indicated that its telemetry is showing some infections in the U.S. Given this, if any sign of infection does occur, inform the FBI’s Internet Crime Complaint Center (IC3) upon discovering it.

Outside the U.S., organizations are encouraged to inform their Community Emergency Response Team (CERT) and e-crime police about any infections linked with the Bad Rabbit campaign.

If you believe your company has been impacted and you need assistance, please call your IBM X-Force 24×7 Incident Response Hotline:

IRIS EMEA 24×7 Hotline

UAE: (+971) 800 044 424 17

IRIS North America 24×7 Hotline

USA: (+1) 888 241 9812

Denmark: (+45) 4331 4987

Finland: (+358) 9725 22099

Latvia: (+371) 6616 3849

Norway: (+47) 2302 4798

Saudi Arabia: (+966) 800 844 3872

Saudi Arabia: (+966) 800 850 0399

Sweden: (+46) 8502 52313

UK: (+44) 20 3684 4872

Don’t Pay Ransomware Attackers

According to an IBM survey, 70 percent of businesses previously hit by ransomware indicated that they had paid the ransom to recover company data. Of that portion, 50 percent paid over $10,000, and 20 percent paid over $40,000. It’s important to note that paying attackers does not guarantee regaining access.

Organizations and individuals affected by Bad Rabbit are advised against paying the attackers. As of the time of this writing, antivirus vendors have released signatures and some decryption options that can help unlock encrypted files.

The attack was most likely designed for disruption rather than financial gain. More advice about containment and IBM product coverage will be made available in the coming hours.

For general advice on keeping your systems safe from ransomware, please review our Ransomware Response Guide.

More from Advanced Threats

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

4 min read - You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components…

4 min read

Top-Ranking Banking Trojan Ramnit Out to Steal Payment Card Data

4 min read - Shopping online is an increasingly popular endeavor, and it has accelerated since the COVID-19 pandemic. Online sales during the 2021 holiday season rose nearly 9% to a record $204.5 billion. Mastercard says that shopping jumped 8.5% this year compared to 2020 and 61.4% compared to pre-pandemic levels. Cyber criminals are not missing this trend. The Ramnit Trojan, in particular, is out for a shopping spree that’s designed to take over people’s online accounts and steal their payment card data. IBM…

4 min read

Detections That Can Help You Identify Ransomware

12 min read - One of the benefits of being part of a global research-driven incident response firm like X-Force Incidence Response (IR) is that the team has the ability to take a step back and analyze incidents, identifying trends and commonalities that span geographies, industries and affiliations. Leveraging that access and knowledge against the ransomware threat has revealed tools, techniques and procedures that can often be detected through the default Windows event logs (WELs). In particular, the X-Force IR team has identified several…

12 min read

How to Report Scam Calls and Phishing Attacks

5 min read - With incidents such as the Colonial Pipeline infection and the Kaseya supply chain attack making so many headlines these days, it can be easy to forget that malicious actors are still preying on individual users. They're not using ransomware to do that so much anymore, though. Not since the rise of big game hunting, anyway. This term marks ransomware actors' shift away from attacks against individual users and towards operations targeting large enterprises, noted CNBC. But attacks like phishing and…

5 min read