A strain of ransomware known as “Bad Rabbit” has been getting a lot of media attention today. Most of the victims appear to be Russian news agencies and other organizations in Russia and Ukraine.
First, know that if you’re using CylancePROTECT®, you’re protected from this ransomware attack - the payload will be blocked.
Our Threat Research team is continuing to investigate this malware, and we’ll update this post and publish anything they find that may be of interest to our customers and to the security community.
How Bad Rabbit Works
The initial infection vector is still unknown, however, after execution, the malicious DLL performs several actions including setting up scheduled tasks to run other malicious components. In all, there are five embedded executables in infpub.dat.
Two versions of Mimikatz (x86 and x64) that are used to attempt credential theft which CylancePROTECT memory defense blocks with a LSASS Read violation. Two versions of a signed driver (also x86 and x64) are abused for physical access to boot sector and full disk encryption.
Finally, another module infects the MBR and produces the ransom message. Analysis is still ongoing for both the DLL and MBR infector.
Impact
Absent coverage by an effective anti-malware solution, Bad Rabbit will render a system completely inoperable and may spread to other systems by abusing trust inherent in corporate networks. No network connection is required to perform encryption, and recovery options may be limited.
This leaves three logical possibilities:
- The key (or a key generation algorithm) may be recovered
- There exists only one public-private key pair and decryption must be performed by the threat actors or they risk making the private key publicly available; or
- The attackers never meant for the files to be recovered
We will continue researching this malware and will update this post as needed.
UPDATE 10/25/2017: Read our new technical 'deep dive' on Bad Rabbit ransomware here.