Bad Rabbit-Ransomware Spreading Like Wildfire

Bad Rabbit Ransomware:

The ransomware, named as Bad Rabbit, is spreading like wildfire and has targeted corporate networks in Russia, Germany, Ukraine, and Turkey mainly. Organizations that have been targeted so far include Kiev Metro payment systems, Interfax and Fontanka (Russian news agencies), Odessa International Airport and the Ukraine’s Ministry of Infrastructure.

Victims download a fake Adobe Flash installer from infected websites and manually launch the .exe file, thus infecting themselves. Our researchers have detected a number of compromised websites, all news or media sites.

According to our data, most of the victims of these attacks are located in Russia. We have also seen similar but fewer attacks in Ukraine, Turkey, and Germany. This ransomware has infected devices through a number of hacked Russian media websites. Based on our investigation, this is a targeted attack against corporate networks, using methods similar to those used in the ExPetr attack. 

Our experts have collected enough evidence to link the Bad Rabbit attack with the ExPetr attack, which happened in June of this year. According to their analysis, some of the code used in Bad Rabbit was previously spotted in ExPetr.
Other similarities include the same list of domains used for the drive-by attack (some of those domains were hacked back in June but not used) as well as the same techniques used for spreading the malware throughout corporate networks — both attacks used Windows Management Instrumentation Command-line (WMIC) for that purpose. However, there is a difference: Unlike ExPetr, Bad Rabbit doesn’t use the EternalBlue exploit — or any other exploit.

The malware modifies the Master Boot Record (MBR) of the infected system's hard drive to redirect the boot process into the malware authors code for the purposes of displaying a ransom note. The ransom note that is displayed following the system reboot is below and is very similar to the ransom notes displayed by other ransomware variants, namely Petya, that we have observed in other notable attacks this year.

Hashes (SHA256)
8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93 C:\Windows\dispci.exe (diskcryptor client)
682ADCB55FE4649F7B22505A54A9DBC454B4090FC2BB84AF7DB5B0908F3B7806 C:\Windows\cscc.dat (x32 diskcryptor drv)
0b2f863f4119dc88a22cc97c0a136c88a0127cb026751303b045f7322a8972f6 C:\Windows\cscc.dat (x64 diskcryptor drv)
579FD8A0385482FB4C789561A30B09F25671E86422F40EF5CCA2036B28F99648 C:\Windows\infpub.dat
2f8c54f9fa8e47596a3beff0031f85360e56840c77f71c6a573ace6f46412035 (mimikatz-like x86)
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c (mimikatz-like x64)
Scheduled Tasks names
Distribution domain:
Distribution Paths:
Intermediary Server:
Referrer Sites:
Hidden service:
To avoid becoming a victim of Bad Rabbit:
Windows users:
Block the execution of files c:\windows\infpub.dat and c:\Windows\cscc.dat.
Disable WMI service (if it’s possible in your environment) to prevent the malware from spreading over your network.
Tips for everyone:
Back up your data.
Don’t pay the ransom.


No comments