What we know so far…
Looks like there’s a new kid on the block in Ransomware today that is creating havoc for a number of organizations in Russia, Ukraine, Germany, and Turkey.
Sources have confirmed that several media sites in Russia as well as Kiev Metro and Odessa airports have been hit with what is being called the Bad Rabbit ransomware.
No confirmed hits in the US as of now.
Information about this malware is still coming in and being investigated. Here’s what our research has gotten us so far:
- The criminals behind the Bad Rabbit attack are demanding 0.05 bitcoin as ransom — that’s roughly $280 at the current exchange rate.
- Detection ratio is only 13/65 AV vendors that are able to stop it. (Cylance is one of the 13)
- The entry point Looks like it might be posing as a bogus flash player installer
- One sample that we looked into on Hybrid Analysis looks like it might be signed by Symantec. A legitimate flash update should be signed by Adobe. This could be part of how its getting past AV as signed malware has a better chance of running without a whole lot of user interaction
- Looks to be using rundll32.exe to run infpub.dat which appears to be the actual payload.
- Looks to try to travel over SMB. Brute forces several username and passwords found in this list:
- There are reports that the malware may also be using versions of Mimikatz to steal passwords stored in the memory.
The best part of the whole thing is that the developers were apparently Game of Thrones fans. Look for scheduled tasks named Drogon and Rhaegal (Dragons in GOT).
