{"id":2618,"date":"2024-09-25T19:02:36","date_gmt":"2024-09-25T19:02:36","guid":{"rendered":"https:\/\/xdr-mdr.lmntrix.com\/main_web\/?p=2618"},"modified":"2025-07-29T05:37:24","modified_gmt":"2025-07-29T05:37:24","slug":"threat-advisory-badrabbit-ransomware","status":"publish","type":"post","link":"https:\/\/lmntrix.com\/blog\/threat-advisory-badrabbit-ransomware\/","title":{"rendered":"Threat Advisory: BadRabbit Ransomware"},"content":{"rendered":"
\n
\"Threat<\/figure>\n<\/div>\n\n\n

This year\u2019s relentless ransomware rampage continues to rage on \u2013 this time the culprit has been dubbed \u2018BadRabbit\u2019.

The variant has been spreading through Russia, Ukraine, and other Eastern European countries \u2013 specifically targeting corporate networks. So far, the computer systems for the Kiev Metro, Ukraine\u2019s Odessa International Airport, several Russian media outlets, and others have been affected, with systems encrypted and a 0.5 bitcoin (about $280) ransom being demanded to restore file access.

Bad Rabbit has been initiated through drive-by downloads from a malicious PE file called \u201cinstall_flash_player.exe\u201d. Upon execution, the malicious file drops Mutex files which initiate the infection.

A drive-by download involves injecting Javascript into a website\u2019s HTML body or a .js file. Then, when a victim visits a compromised site, a pop-up appears, saying Flash Player needs to be updated, essentially tricking users into installing the malware themselves.\u00a0

Propagation \u2013 drive-by download:<\/strong>

<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

\u00a0

The reason Bad Rabbit has been spreading like, well, rabbits, is because it uses the same leaked NSA exploit \u2013 EternalBlue \u2013 \u00a0which helped WannaCry and Petya wreak havoc earlier this year.

EternalBlue is relatively easy to protect against. The exploit targets servers with SMB network sharing exposed to the Internet which is a feature that can (and should) be deactivated.

Static File Details:<\/strong>

From the Static File Details we can see the different file type names used in the campaign. The Copyright, Description, and Internal name section are spoofed to hide the malicious nature of the file:
<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

\u00a0

Process Diagram:<\/strong>

The root cause process is PID:2984 , which is called from cmd.exe (PID 3608) before process injection for schtasks.exe (PID 3620) kicks in which executes the ransomware:

<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

\u00a0

Encryption File type:<\/strong>

.3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.ppt.rtf.xls\u200b

\u200b\u200b\u200b\u200b\u200b\u200bIOC:<\/strong>

http:\\\/\\\/1dnscontrol[.]com\/flash_install[.]php

Policy: C:\\Windows\\infpub.dat \u00a0[Block File creation & execution]

Argumentiru[.]com

Fontanka[.]ru

Adblibri[.]ro

Spbvoditel[.]ru

Grupovo[.]bg

inematurk[.]com

http:\\\/\\\/185[.]149[.]120[.]3\/scholargoogle\/

MD5:\u00a0<\/strong>

fbbdc39af1139aebba4da004475e8839

1d724f95c61f1055f0d02c2154bbccd3

b14d8faf7f0cbcfad051cefe5f39645f\u200b\u200b\u200b\u200b\u200b\u200b\u200b

Recommendations:<\/strong>

Key recommendations to mitigate against BadRabbit include:

\u2022\u00a0\u00a0 \u00a0Disable WMI service (if it\u2019s possible in your environment) to prevent the malware from spreading over your network.

\u2022\u00a0\u00a0 \u00a0Disable SMB network sharing

\u2022\u00a0\u00a0 \u00a0Patch the system from Vulnerability MS17-010.

\u2022\u00a0\u00a0 \u00a0The Perimeter rule can be implemented on the Perimeter device (such as Proxy), to stop the download or communication of unauthorized Flash-player updates. See below:<\/p>\n\n\n\n

Title: Flash Player Update from Suspicious Location<\/strong> description: Detects a flashplayer update from an unofficial location<\/strong> logsource:<\/strong>     category: proxy<\/strong> detection:<\/strong>     selection:<\/strong>         cs-uri-query:<\/strong>             – ‘*\/install_flash_player.exe’<\/strong>             – ‘*\/flash_install.php*’<\/strong>     filter:<\/strong>         cs-uri-query: ‘*.adobe.com\/*’<\/strong>     condition: selection and not filter<\/strong><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

In addition, backing up files regularly ensures you can recover important data in the event you fall victim to any ransomware attack.

 

 <\/p>\n","protected":false},"excerpt":{"rendered":"

This year’s relentless ransomware rampage continues to rage on – this time the culprit has been dubbed ‘BadRabbit’. The variant has been spreading through Russia, Ukraine, and other Eastern European countries – specifically targeting corporate networks. So far, the computer systems for the Kiev Metro, Ukraine’s Odessa International Airport, several Russian media outlets, and others […]<\/p>\n","protected":false},"author":1,"featured_media":2622,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[],"class_list":["post-2618","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-labs"],"_links":{"self":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2618","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/comments?post=2618"}],"version-history":[{"count":3,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2618\/revisions"}],"predecessor-version":[{"id":4296,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2618\/revisions\/4296"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media\/2622"}],"wp:attachment":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media?parent=2618"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/categories?post=2618"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/tags?post=2618"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}