Bad Rabbit Ransomware26th of October 2018
Article from Fox-IT
Author: Erik Schamper
A new ransomware outbreak hits Eastern Europe again. On the 24th of October 2017 several (infrastructural) organisations such as the Kiev Metro and Russian media outlets were hit by a cyber attack. It appears to be mostly spreading within Russia, Ukraine, Bulgaria and Turkey for now. Currently there are no signs of infections in the Netherlands. Initial analysis shows many similarities with the NotPetya outbreak in June of 2017. Investigation by Fox-IT's cyber analysts is ongoing, and this is what we know so far:
When the victim manually starts install_flash_player.exe, it creates the file C:\Windows\infpub.dat, which is then started using rundll32. The naming is similar to NotPetya. Back then the file was called perfc.dat.
The overall actions performed by infpub.dat are as follows:
- A copy of DiskCryptor dcrypt.sys driver is installed in C:\Windows\cscc.dat and installed as a Windows service called “Windows Client Side Caching DDriver”. A 32bit and 64bit version are included, and installed according to the system architecture
- The malicious executable dispci.exe is installed in C:\Windows. This executable, in combination with the cscc.dat driver, is responsible for the disk encryption and ransom screen
- A scheduled task called “rhaegal” (appears to be a reference to the Game of Thrones series) is created that launches the dispci.exe when the user logs on to the computer
- Another scheduled task called “drogon” is created to shut down the computer
- Password acquiring happens in a similar manner like NotPetya, with the use of “Mimikatz” (a tool for gathering passwords from Windows systems, for example from memory). Additionally, a list of common used usernames and passwords is also utilised
- The local network is scanned and infected in a similar manner to NotPetya
- Regular file encryption happens in a similar manner to NotPetya
Similarity to the NotPetya outbreak
This variant shares a lot of similarities with NotPetya. The overall program structure is similar, and many of the same actions are performed. The main differences are in the encryption, spreading and payment process.
Differences in spreading
All of the scanning methods are the same as NotPetya. The main difference is in how this variant executes its payload on the target system. NotPetya had 3 methods: PSEXEC, WMIC and using the EternalBlue exploit. This variant appears to have three methods as well, although PSEXEC and EternalBlue are no longer present in this variant. The methods for this variant include WMIC, Remote Service creation and another method involving manually crafted SMB packets. At this time, it appears this latter method attempts to create a service as well, but uses a predefined list of common usernames and passwords for authentication, as well as attempting to use multiple different shares.
Differences in encryption
The individual file encryption routine as it existed in NotPetya is still present. The main difference is that this variant no longer makes use of MBR code to encrypt the MFT. Instead, it now seems to use DiskCryptor to encrypt the disk. The dispci.exe executable is responsible for the encryption process, while cscc.dat is the DiskCryptor driver. The dispci.exe executable is also responsible for writing the custom bootloader to disk, which in turn displays the ransom screen at boot.
Differences in payment
The NotPetya outbreak in June 2017 used a single email address for payment, which was quickly disabled. This variant seems to use a Tor-based payment page, which is more common for ransomware. When the key from the ransom note is submitted on the website, the victim is given a unique Bitcoin address to send their payment to.
Just as with any other ransomware infection, it’s not advisable to pay the ransom. There is no guarantee that the attacker will actually give you the decryption key for your files.
To detect an active infection in the network one of the following IOC’s can be used:
- Payment site: caforssztxqzf2nm.onion
- Inject URL: 18.104.22.168/scholargoogle/
- Distribution URL: 1dnscontrol.com/flash_install.php
- IP of 1dnscontrol.com at the time the attack was active: 22.214.171.124
- The malware also attempts to access the IPC$ share over SMB, which also be useful as an indicator of compromise. Attempts of running rundll32.exe using WMIC, or installing a new service with rundll32.exe as the executable is also a good indicator.
Fox-IT’s network sensors currently detect all used spreading methods, also before the outbreak.
Just like with NotPetya, it’s possible to preemptively stop the spreading of this specific ransomware variant by creating some files in the C:\Windows directory. Specifically the “infpub.dat” and “cscc.dat” file, when created with read-only flags are reportedly sufficient to stop the spreading. Please note that this is no fool-proof method, since just like NotPetya, this variant uses the executable name for spreading. It just so happens that infpub.dat is the hardcoded name given by the install_flash_player.exe dropper.
Want more information? Keep an eye out for updates on Fox-IT's live blog.