Blog post written by Ladislav Zezula, Jakub Kroustek and Martin Hron
Yesterday, a new ransomware strain, BadRabbit, began spreading. This time, cybercriminals used popular Russian news sites to spread the ransomware. Despite recycling some of NotPetya’s code, BadRabbit did not spread as pervasively as WannaCry or NotPetya. It did, however, manage to infect the Ministry of Infrastructure of Ukraine, Odessa’s airport, Kiev’s subway and two Russian media groups.
BadRabbit requests a ransom of .05 Bitcoin or roughly $276 USD.
According to Avast Threat Labs data, users in 15 countries have been targeted so far. The most targeted country is Russia, with 71 percent of detections observed, followed by the Ukraine with 14 percent and Bulgaria with eight percent.
While the U.S. and other central and eastern European countries, including Poland and Romania have also been affected, the number of encounters in these countries, including the U.S., were much lower than what we have observed in Russia. However, at the time of writing, we calculate a detection rate of only one percent or less in each of these regions.
Map of BadRabbit Attacks
How BadRabbit spreads
To infect computers with the BadRabbit strain, cybercriminals infected popular news sites like Russian Interfax and Fontanka, with the aim to widely attack the visitors of these sites via a watering hole attack. Although one of the goals of ransomware is to collect money, another goal can very well be to disable a company’s operations. Previous ransomware campaigns this year have shown that this can be achieved - as some large companies reportedly even had to send their employees home for the day after their systems were infected. The injected malicious script on these compromised websites prompted visitors to download a fake Adobe Flash installer update. Once executed, BadRabbit starts to do its work.
Once BadRabbit infects a computer, it attempts to spread within the connected network to infect more computers. BadRabbit has a set of default login and password combinations that are used for lateral movement in the local network. In addition, it uses Mimikatz to extract other combinations used by the infected user. This technique was previously used by NotPetya, as well. The lateral movement is done via the SMB protocol, but in contrast to WannaCry and NotPetya, no exploits were used this time. The spreading within internal networks only relies on extracted passwords or a dictionary attack and logins, or on entirely open network shares.
Mimikatz exploits a process in Windows called LSASS(Local Security Authority Subsystem Service) which stores hashes and passwords used during various authentication sessions, e.g. when accessing a shared folder that is stored on a different computer. To access the shared folder and/or a different computer, a username and password need to be entered. The credentials are then stored in LSASS so they don't need to be entered again during the active session.
It scans LSASS’ memory to find credential pairs and then dumps them out. Cybercriminals can use them to authorize access to remote shares, which is what ransomware like BadRabbit needs in order to encrypt remote shares or to spread to additional machines.
To prevent Mimikatz from doing its job, it is possible to run LSASS in a protected mode on Windows systems 8.1 and higher. But, unfortunately, this option is not turned on by default.
Rather than reinventing the wheel, the cybercriminals behind BadRabbit have simply reused parts of NotPetya’s code. All they had to do was fix bugs and adapt the code for new requirements.
BadRabbit encrypts both the disk and files on the infected computer. Files are encrypted first, using the built-in Windows cryptography (Crypto-API). Simultaneously, a disk cryptor software, Diskcrypt, is installed on the PC and prepared for system reboot, after which the disk-level encryption takes place. BadRabbit uses legitimate Diskcrypt software for this task, which is more than three years old.
During the Diskcryptor installation process, the malware creates a new service called “cscc”. In case of failure, the existing Windows “cdfs” (CD-ROM file system) service is hijacked instead.
BadRabbit also encrypts files on the system. The original file is encrypted in its original location which greatly reduces the chance of recovering it without the decryption key. Sometimes, ransomware strains write the encrypted file content on a new file which deletes the original file after. However, if a file is deleted, it can still be found somewhere on the computer’s drive and thus be recovered.
BadRabbit encrypts files using AES-128 which is strong enough that it cannot be cracked via brute force, and used the same encryption key for all files on the infected PC.The encrypted files are marked by an “encrypted” string at the end of their content.
The encryption key is a 33-byte random key, generated using CryptGenRandom - a high-quality random number generator. That key is converted to a 32-character text password which is then fed to a MD5 hash. The result of the MD5 hash is the key for the AES-128 encryption i.e. the file encryption key.
The AES-128 key is packed together along with the computer’s name, domain name, time zone, and a random salt value. It is then encrypted by the public RSA key which is hardcoded in the binary. The outcome is then stored in X:\readme.txt file (where ‘X:’ is any fixed drive on the system) as a “user-ID”, which is also presented on the boot screen.
Unlike NotPetya, which struck in July, the encryption key generation is done correctly this time. This means that files encrypted by BadRabbit are not corrupted, whereas files affected by NotPetya were.
Trying to outsmart the good guys
In order to circumvent antivirus detection, the ransomware uses complicated command lines to avoid or fool command line parsers and included references to Game of Thrones. An example of such a command line is:C:\Windows\system32\cmd.exe /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 4294681185 && exit"which actually means:C:\Windows\dispci.exe -id 4294681185
If the cybercriminals had used the actual command line, then the disk encryption software would have been immediately detected by antivirus software.
Both Avast and AVG detect BadRabbit as Win32:Malware-gen, protecting Avast and AVG users from BadRabbit.
How to prevent BadRabbit from infecting
There is a sort of vaccine file that will prevent BadRabbit from infecting a computer, if the file exists. If you are running the system as an administrator and there is a file named "C:\Windows\cscc.dat", the malware will not run. You can create this file by creating a txt file and renaming it:cscc.dat and save it in C:\Windows\.
If your PC is already infected with BadRabbit, we advise against paying the ransom, like with all ransomware. Paying ransom proves to cybercriminals that ransomware is an effective way to earn money and encourages them to continue spreading it.
To protect yourself against ransomware, like BadRabbit:
We are continuing to monitor and analyze the BadRabbit ransomware. As we uncover new information, updates to our users will be published.