BadRabbit

Executive summary

Around 08:00 UTC on October 24, 2017, widespread reports of a new ransomware campaign began circulating on social media. The majority of affected users were in Russian-speaking countries, notably Russia and Ukraine, and included both enterprise and consumer customers.

A campaign was distributing a ransomware, known as “BadRabbit,” through compromised third-party websites that mainly provided news and media. Following successful infection, BadRabbit attempted to use multiple techniques to spread laterally throughout the victim network, encrypting files and then installing a disk encryptor, before modifying the master boot record (MBR) and forcing a reboot. Victims were unable to recover the use of their machines and data until they either paid a ransom or restored their systems from backups.

Antivirus capabilities in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) blocked the BadRabbit installer approximately 14 minutes into the campaign, using cloud-based machine learning to classify the new threat as malware. At this time, Microsoft Defender ATP detected the tools and infrastructure used in the attack, as well as the techniques BadRabbit used to establish itself and move throughout the victim network.

NOTE: Mitigation status and recommendation information provided with this entry covers vulnerabilities found on Windows only.

Table of Contents

Analysis

BadRabbit Diagram

At 08:17 UTC on October 24, 2017, a computer in St. Petersburg, Russia downloaded a file named install_flash_player.exe from the website hxxp://1dnscontrol.com/index.php. Users were redirected to this URI by malicious JavaScript injected into numerous legitimate third-party websites and executed it manually after they were deceived into believing that the file was a necessary update to Adobe Flash.

Upon execution, install_flash_player.exe requested administrative rights using a standard UAC prompt. When the user granted these rights, it dropped a DLL named infpub.dat to C:\Windows and executed it using rundll32.exe.

infpub.dat is a worm that spread laterally throughout the network using multiple techniques:

  • Brute-forced credentials—drops copies of itself into network shares using brute-forced credentials
  • Credential theft—Uses the WDigest hacktool to obtain credentials and then use them to spread laterally
  • SMB exploits—exploits the CVE-2017-0143 and CVE-2017-0146 vulnerabilities affecting SMB v1 to spread to vulnerable machines
  • WMIC—used to run the BadRabbit payload remotely

As it spread, the worm encrypted user files, such as documents and images, and installed a disk encryptor by dropping a file named dispci.exe to C:\Windows and scheduling its execution using the Task Scheduler. When dispci.exe ran, it modified the computer’s MBR and forced a reboot.

Following the reboot, users were shown a ransom note instead of the operating system starting up:

BadRabbit ransom note

The ransom note directed users to visit a TOR website, caforssztxqzf2nm.onion, which provided instructions for paying the ransom and retrieving the decryption key.

Impact

The BadRabbit campaign was regionally targeted at visitors of Russian-language news and media websites. As a result, 77% of users who encountered BadRabbit were in Russian-speaking countries, such as Russia, Ukraine, Belarus, or Kazakhstan, or had their computer’s locale set to Russian. Outside of this demographic, the largest groups of victims were in Bulgaria (9%) and Turkey (8%), with the rest scattered globally.The campaign appeared to be tightly scheduled, beginning around 08:00 UTC and ending shortly after 15:00 UTC.

When compared against existing device demographics in affected countries, the distribution of reported infections across customer types did not indicate an intent to target specific customer types or industries.

During the course of an infection, BadRabbit attempts to spread laterally throughout the network, encrypting user files and installing a disk encryptor that modifies the Master Boot Record, rendering the computer unusable until the ransom is paid. As a result, affected organizations can lose access to critical data and systems that must be restored from backups.

Mitigations

Apply these mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations.

  • To address the vulnerabilities exploited by infpub.dat, install the security updates provided with Microsoft Security Bulletin MS17-010, published March 14, 2017.
  • Utilize the Windows Defender Firewall, intrusion prevention devices, and your network firewall to prevent SMB communication whenever possible.
  • Enforce strong, randomized local administrator passwords. Use tools like LAPS.
  • Train end users to limit the use of accounts with local or domain admin privileges.

Detection details

Windows Defender Antivirus

Windows Defender Antivirus detects threat components as the following malware:

Endpoint detection and response (EDR)

Alerts with the following titles in the Microsoft Defender Security Center portal can indicate BadRabbit activity on your network:

  • Tibbar ransomware detected (BadRabbit)
  • Windows Defender has detected "Tibbar" ransomware (BadRabbit)
  • Suspicious run of PsExec (Behavioral)
  • Behavior suspected as a ransomware attack was observed (Behavioral)
  • Suspicious Remote WMI Execution (Behavioral)
  • Suspicious network traffic detected (Command and control)
  • WDigest detected (WDigest variant)
  • Suspicious access to LSASS service (Behavioral)
  • Pass-the-ticket attack (Behavioral)
  • Suspected credential theft activity (Behavioral)

References