Insights | Integrity360

Bad Rabbit Ransomware Advisory

Written by The Integrity360 Team | 24 October 2017 14:12:00 Z

Last updated: 31/10/2017 11:00

Integrity360 is actively monitoring a new Ransomware threat known as "Bad Rabbit". This ransomware variant is delivered via malicious websites that instructs the user to update Flash. Upon clicking on the update Flash pop up, a malware dropped is downloaded and executed. All files on the system are encrypted and the master boot record replaced. Once the PC boots, a ransom note is displayed similar to what was seen with NotPetya a number of months ago. The malware also includes techniques to spread laterally through the network. The first technique is using a hacking tool known as Mimikatz, which is able to obtain passwords from memory on the infected system. The second, via the EternalBlue exploit (MS17-010) seen in WannaCry. The malware also has a hard coded list of usernames and passwords. 

There has been no evidence of the ransomware being delivered via phishing emails, however given this is always a likely attack vector, users should be cautious when clicking links or opening attachments from unexpected sources. So far the attack vector appears to be via users visiting compromised websites directly.

Integrity360 recommends the following:

  • Block the following URLs (removing square brackets):
    • hxxp://argumentiru[.]com
    • hxxp://www.fontanka[.]ru
    • hxxp://grupovo[.]bg
    • hxxp://www.sinematurk[.]com
    • hxxp://www.aica.co[.]jp
    • hxxp://spbvoditel[.]ru
    • hxxp://argumenti[.]ru
    • hxxp://www.mediaport[.]ua
    • hxxp://blog.fontanka[.]ru
    • hxxp://an-crimea[.]ru
    • hxxp://www.t.ks[.]ua
    • hxxp://most-dnepr[.]info
    • hxxp://osvitaportal.com[.]ua
    • hxxp://www.otbrana[.]com
    • hxxp://calendar.fontanka[.]ru
    • hxxp://www.grupovo[.]bg
    • hxxp://www.pensionhotel[.]cz
    • hxxp://www.online812[.]ru
    • hxxp://www.imer[.]ro
    • hxxp://novayagazeta.spb[.]ru
    • hxxp://i24.com[.]ua
    • hxxp://bg.pensionhotel[.]com
    • hxxp://ankerch-crimea[.]ru
  • Ensure latest signatures are installed as of today for Anti-Virus
  • Send out an email to all users advising to be cautious when opening emails from unexpected sources and not to click any pop-ups related to Flash updates
  • Ensure systems are patched for MS17-010
  • Ensure backups are in place and are secured
  • Monitor logs or SIEM alerts related to the wiping of the Windows event logs
  • Block TOR traffic (this may be under the category "Anonymizers" for proxy solutions)
  • Block Ad Networks category for proxy

Integrity360 will continue to actively monitor this threat and provide updates on this page as new intelligence becomes available.

If you suspect that you have been compromised, please do not hesitate to contact us for support.