Bad Rabbit is defined as the ransomware strain that is spread via hacked websites, infected system via a fake adobe installer and held encrypted files for bitcoin.

What is Bad Rabbit Ransomware:-

1. In October 2017, Bad Rabbit, a ransomware that is a member of the Petya family, infected more than 200 organisations in Eastern Europe. The majority of the targets were Russian media outlets, although the ransomware’s network propagation technique also affected business networks in Russia, Eastern Europe, and Japan.
2. Through a drive-by attack, hijacked websites disseminated a phoney Adobe Flash update that, when executed, would encrypt system files using RSA 2048 bit keys and demand changes.05 Bitcoin.

The creators:-

As of right now, no threat group has been identified as responsible for the Bad Rabbit ransomware. Nonetheless, the drive-by attack’s code and domain list are enough similar to NotPetya (also known as ExPetr or Nyetya) for researchers to conclude that the same gang is behind both.

Although NotPetya has ties to Sandworm Team and BlackEnergy, both of which are Russian, Bad Rabbit exclusively targets Russia, making attribution more difficult. According to certain scholars and analysts, Bad Rabbit was a state-sponsored organisation that targeted media outlets that were incongruous. But other from the fact that the main watering hole websites are media-related, there isn’t any solid proof to back up that claim.

Which kind of systems are vulnerable to Bad Rabbit?

Only unpatched Bad Rabbit is compatible with Windows 7 and later versions. According to early reports, the ransomware did not employ any exploits created by the NSA. Although, subsequent investigation by Cisco’s Talos protection Intelligence revealed that Bad Rabbit did, in fact, circumvent Windows Server Message Block (SMB) file-sharing protection and allow remote code execution on Windows devices by utilising the EternalRomance attack CVE-2017-0145. That is the same exploit that NotPetya employed in June after the Shadow Brokers exposed it in April.

Time line of Bad Rabbit:-

1. March 2016 Petya First Spotted
2. April 2017 Shadow Brokers Leak EternalRomance
3. June 2017 NotPetya First Spotted
4. Oct 12th Ukraine’s SBU Warns of imminent attack similar to the NotPetya
5. Oct 24th 2017 BadRabbit First Spotted

How does it spread?

1. Russian media websites that had been compromised served as Bad Rabbit’s first assault vectors. The Bad Rabbit ransomware would start when a user downloaded and manually ran the phoney Adobe Flash Player installers that the attackers posted to these websites.
2. For 6 hours, the hacked websites were redirected visitors to 1dnscontrol[.]com. Once redirected, a post request was issued to 185.149.120[.]3, which provided the attackers with the user agent and other identifying data. The dropper was then downloaded from two sources: 1dnscontrol[.]com/index.php and /flash_install.php.
3. When a user executes the malicious Adobe Flash Player Executable, Bad Rabbit searches for SMB shares, which it then brute forces using a hard-coded list of common passwords. Mimikatz post-exploitation tools are also used to harvest usernames and passwords, allowing access to even more SMB shares.
4. Bad Rabbit would then attempt to exploit the Windows Management Instrumentation Command-line (WMIC) to execute code on networked Windows systems.
5. Finally, it employs an EternalRomance implementation, which is quite similar to this publicly available Python implementation, to read and write arbitrary data in the kernel memory area, overwriting session security. Then Bad Rabbit would use the access to execute full disc encryption with DiskCryptor, an open-source encryption tool.