Select Page

Bad Rabbit: A New Ransomware Attack Hits USA and Europe

A new Ransomware sample called Bad Rabbit hit Russia, Turkey, Ukraine, Bulgaria, USA, Germany, and Japan on October 24, 2017. Among all of the countries, Russia and Ukraine were hit the most as the infection started through some hacked Russian news website. Russian Media agencies and Transportation organizations in Ukraine were among the first one to get infected.

Bad Rabbit: A New Ransomware Attack Hits USA and Europe

Bad Rabbit is based on NonPetya or expert code, but it is densely reworked. It also contains parts of other Ransomware, for example, approaches used in HDDCryptor. They also signed the code with fake Symantec security certificate. Another feature of this malicious software is the ability to collect your passwords on the infected computers and download additional malicious modules.

Bad Rabbit relies on a really old malware approach of tricking users into installing a fake Adobe Flash update. This approach still works which indicates that cybersecurity awareness is still surprisingly low. Without proper security and data protection measures, the risk of falling victim to bad rabbit ransomware remains high.

Following are the facts about Bad Rabbit

  • It uses pieces of code from Petya/NonPetya

The reason for this ransomware to look familiar is because it is almost identical to last June’s Petya ransomware outbreak. Besides the cosmetic similarities, Bad Rabbit shares behind-the-scene elements with Petya too.

An analysis shows that Bad Rabbit shares 67% of the same code with NotPetya’s DLL (Dynamic link library) which indicates that these two Ransomware softwares are very closely related.

  • Distributed as fake Flash update requiring manual installation by a user

Bad Rabbit spreads by media transfer or by downloads on hacked websites. Visitors to compromised websites are told that they need to install a Flash update which of course is not a Flash update but a dropper of the malicious install.


  • Spreads across local networks in a primitive way

Bad Rabbit comes with a potent trick up its sleeve. It contains an SMB component which allows Bad Rabbit to move across an infected network and grow itself without user interaction. After infecting the machine, Bad Rabbit attempts to spread over the local network using mimikatz tool which lets you extract windows credentials from Local Security Authority. Bad guys know that “12345” or “password” have been at the top of the password list for years and they continue to be effective.

  • Uses system driver for encryption

The ability of the Bad Rabbit to spread is because of a list of simple username and password combinations, which it can exploit to force its way across a network. Weak password list consists of a number of the usual suspects for weak passwords such as simple number combinations.

Technical Details of Bad Rabbit

Bad Rabbit: A New Ransomware Attack Hits USA and Europe

The Ransomware dropper is distributed from hxxp://1dnscontrol[.]com/flash_install.php. After that, the user downloads flash player.exe file, which needs administrative privileges in the system. If started, the dropper extracts a file-level encryption module infub.dat and a disk level encryption module dispci.exe.

Bad Rabbit uses two types of encryptions- file and disk level. It does not duplicate ckhdsk.exe like NonPetya did to hide encryption. Bad Rabbit launches file level encryption (infpub.dat via rundll32), if it finds enough files to encrypt. After starting encryption, it creates tasks in scheduler for launching dispci.exe to encrypt drives and then forces the system to restart. After the first restart, dispci.exe writes an extended loader on the disk which will get all the control via malicious MBR later. Finally, the whole disk is encrypted with a driver, MBR is written and the PC will restart again to display a ransom message demanding bitcoin.

Who is behind the attack?

Till now, it is still unknown who is distributing bad rabbit Ransomware, but the similarity to Petya has led the researchers to suggest that Bad Rabbit is made by the same crime group. One interesting thing about the hackers is they appear to be a fan of Game of Thrones. The code contains reference of Viserion, Drogon and Rhaegal, the dragons which feature in television series, although that doesn’t help identify the attackers, researchers are working on it.

StoneFly Customers will never pay a penny to recover from Ransomware, will you?

At this point, it is unknown if it is possible to decrypt files locked by Bad Rabbit without paying the Ransom. One of the most authentic ways of securing your data is Cloud Backup. By the time an organization is going to realize that there is an attack most of the systems by then will already be affected, so keeping a Cloud Backup can be very useful.

The Best protection against Ransomware Attack is a strong Backup. StoneFly DR365 is a complete Data center Backup solution appliance for all physical and virtual servers. StoneFly DR365 users do not worry if they are hit by a Ransomware attack, as their data is secured in multiple locations and Ransomware does not have access to the data. The StoneFly DR365 is the only data center backup appliance that comes with automated offsite Backup connection to Amazon AWS Cloud and Microsoft Azure Cloud.

The StoneFly DR365 uses Storage Concentrator Virtual machine (SCVM) to provide server and storage consolidation, data protection and disaster recovery into a single platform.

The user has the freedom to set the data access option from read only or read/write storage. The StoneFly SCVM provides Flexibility in Data Backup. The Snapshots created by the SCVM are Block based, which create a point in time backup delta from only blocks that have changed from the last snapshot. SCVM Snapshots can be set to read-only which helps in data protection against the Ransomware, as the data can not be reached or changed by hackers.

Recent Posts

Maximizing Data Protection with Cloud Backup and Recovery

Maximizing Data Protection with Cloud Backup and Recovery

Businesses of all sizes must prioritize data protection and recovery to ensure continuous operations. One way to achieve this is through enterprise cloud backup solutions, which provide secure and scalable storage for critical data. As more businesses move their...

Guide to Sizing Your Enterprise SAN Appliance for Optimal Storage

Guide to Sizing Your Enterprise SAN Appliance for Optimal Storage

In today's data-driven business world, having a reliable and scalable enterprise data storage solution is crucial. As businesses continue to generate massive amounts of data, they need storage systems that can keep up with their growing needs, while also ensuring the...

You May Also Like

Maximizing Data Protection with Cloud Backup and Recovery

Maximizing Data Protection with Cloud Backup and Recovery

Protecting your enterprise data is crucial, and having a comprehensive cloud backup and recovery solution is vital for your business continuity. StoneFly offers enterprise-grade cloud backup and recovery solutions in Azure, AWS, and private cloud, with a focus on security and compliance. Read on to learn more about our solutions and best practices for implementing and managing them.

read more
On-Premise vs Private Cloud: Choosing the Right Infrastructure for Your Business Needs

On-Premise vs Private Cloud: Choosing the Right Infrastructure for Your Business Needs

Learn how to choose the right cloud infrastructure for your business with this comprehensive guide from StoneFly. Explore the pros and cons of on-premise data centers and private clouds, the benefits of different private cloud services, and how to ensure data security in private cloud environments. Discover the advantages of air-gapped and immutable repositories for backup storage and archiving, and find out how StoneFly can help protect your data from ransomware attacks.

read more

Subscribe To Our Newsletter

Join our mailing list to receive the latest news, updates, and promotions from StoneFly.

Please Confirm your subscription from the email