Bad Rabbit Ransomware

Organizations in Russia, Ukraine and a few hours later also the U.S. are under siege from Bad Rabbit, a new strain of ransomware with similarities to NotPetya.

The outbreak appears to have started via files on hacked Russian media websites, using the popular social engineering trick of pretending to be an Adobe Flash installer. The ransomware demands a payment of 0.05 bitcoin, or about $275, from its victim, though it isn’t clear whether paying the ransom unlocks a computer’s files. You have just 40 hours to pay.

Bad Rabbit shares some of the same code as the Petya virus that caused major disruptions to global corporations in June this year, said Liam O’Murchu, a researcher with the antivirus vendor Symantec Corp.

Based on analysis by ESET, Emsisoft, and Fox-IT, Bad Rabbit uses Mimikatz to extract credentials from the local computer's memory, and along with a list of hard-coded credentials, it tries to access servers and workstations on the same network via SMB and WebDAV.

The hardcoded creds are hidden inside the code and include predictable usernames such as root, guest and administrator, and passwords straight out of a worst passwords list. (Note to Self: all user passwords need to be strong, step all employees through a strong password training module ASAP.)

As for Bad Rabbit, the ransomware is a so-called disk coder, like Petya and NotPetya. Bad Rabbit first encrypts files on the user's computer and then replaces the MBR (Master Boot Record).