Trustlook Labs has investigated a ransomware outbreak dubbed “BadRabbit,” which is sweeping public organizations and businesses such as airports, banks and power utilities in Russia, Ukraine, Turkey and Bulgaria.
The malware is masked as an Adobe Flash player installer when a user clicks and downloads the file from a phishing website. The dropper (MD5: fbbdc39af1139aebba4da004475e8839) drops a DLL module into C:\Windows\infpub.dat, which is the main BadRabbit payload, and runs as C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
The malware also drops the files “C:\Windows\dispci.exe” and “C:\Windows\cscc.dat”. The malware creates scheduled tasks to execute the file, and the executable will install a malicious bootloader.
The malware generates a random key by calling “CryptGenRandom”, then encrypts the key with the embedded RSA-2048 pubic key:
The key is then used to encrypt the files on the system with the AES-128 encryption algorithm. The malware encrypts files with the following file extensions:
.3ds, .7z, .accdb, .ai, .asm, .asp, .aspx, .avhd, .back, .bak, .bmp, .brw, .c, .cab, .cc, .cer, .cfg, .conf, .cpp, .crt, .cs, .ctl, .cxx, .dbf, .der, .dib, .disk, .djvu, .doc, .docx, .dwg, .eml, .fdb, .gz, .h, .hdd, .hpp, .hxx, .iso, .java, .jfif, .jpe, .jpeg, .jpg, .js, .kdbx, .key, .mail, .mdb, .msg, .nrg, .odc, .odf, .odg, .odi, .odm, .odp, .ods, .odt, .ora, .ost, .ova, .ovf, .p12, .p7b, .p7c, .pdf, .pem, .pfx, .php, .pmf, .png, .ppt, .pptx, .ps1, .pst, .pvi, .py, .pyc, .pyw, .qcow, .qcow2, .rar, .rb, .rtf, .scm, .sln, .sql, .tar, .tib, .tif, .tiff, .vb, .vbox, .vbs, .vcb, .vdi, .vfd, .vhd, .vhdx, .vmc, .vmdk, .vmsd, .vmtm, .vmx, .vsdx, .vsv, .work, .xls, .xlsx, .xml, .xvd, .zip
The malware skips the files under the following directories:
The ransom message “Readme.txt” is written in the root of drives.
After the scheduled task reboots the system, the following ransom note is shown on the system:
The malware run “wevtutil” and “fsutil” commands to clean event logs:
wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
The malware also attempts to affect the system on the network. It uses the following embedded username/password to do a brute-force login into the other system over SMB.
Trustlook Labs has identified the following hashes associated with BadRabbit:
The ability to spread via SMB makes the BadRabbit ransomware particularly destructive, as it can infect systems in the network very quickly and easily. It is further proof that ransomware, with its monetary incentives, continues to be the trend of malware developed by criminal hackers. Thankfully, Trustlook’s antivirus engine can effectively detect ransomware attacks and protect our customers.