How ransomware bad rabbit spread

Bad Rabbit Malware
Views: 423
Read Time:2 Minute, 42 Seconds

After locking down the computers the cyber criminals behind Bad Rabbit are demanding 0.05 Bitcoin ($285 =2,835.58ZK) from victims. Bad Rabbit is a new strain of ransomware spreading and infecting computers.


What you need to know about Bad Rabbit

  • Ransomware attacks are not subtle. You will receive a notification immediately
  • It spreads via a fake Flash update on compromised websites
  • Bad Rabbit can spread laterally across networks
  • The Malware may not be indiscriminate
  • It isn’t clear who is behind it
  • It contains Game of Thrones references in its coding -Viserion, Drogon, and Rhaegal concluding some GOT nerd is behind it


You can protect yourself against becoming infected by it

Its unlikely that Zambia will be hit by Bad Rabbit but for those who want to be sure they don’t potentially fall victim to the attack, Kaspersky Lab says users can block the execution of file ‘c: \ windows \ infpub.dat, C: \ Windows \ cscc.dat.’ in order to prevent infection.


Be alert to security trends

Looking at the Bitcoin reaching all highs and the sophistication cybercriminals are investing into the malware there is need to stay alert. The Bitcoin, cybercriminals favorite currency, is now trading at $5,770 USD. That is a whooping 57,266.88 Zambian Kwacha for each computer locked.


According to Kaspersky who are trucking the ransomware the most affected computers are located in Russia. And the attack seems targeted with some rumors mentioning Korea to be involved.


‘Based on our investigation, this is a targeted attack against corporate networks’


How bad rabbit is spread

  • It spreads via a fake Flash update on compromised websites

Breaking news is that Bad Rabbit ransomware is spread through Social Engineering. Also the new strain is reported to be similar to WannaCry and Petya ransomware that caused havoc earlier this year.

According to knowbe4 the outbreak appears to have started via files on hacked Russian media websites.  They used the popular social engineering trick of pretending to be an Adobe Flash installer.

Interfax and Fontanka the media organisations’ servers were hit hard and Interfax had to resort to Facebook to deliver its news.


Bad Rabbit hit Interfax Media


Bad Rabbit uses Mimikatz to extract credentials from the local computer’s memory, and along with a list of hard-coded credentials, it tries to access servers and workstations on the same network via SMB and WebDAV.


Mimikatz is a great post-exploitation tool written by Benjamin Delpy (gentilkiwi). It extract plaintexts passwords, hash, PIN code and kerberos tickets from memory. 

And the hardcoded creds are hidden inside the code that include predictable usernames such as rootguest and administrator, and passwords straight out of a password list.


Improved version of Bad Rabbit

Bad Rabbit attack is not as bad as the initial Bad Rabbit because it appears the encrypted files are recoverable. The initial attack left files unrecoverable even after receiving the restoration key.

This means the bad guys worked on the file encryption process. It also means you have to buy two keys. The first key is to de-encrypt the boot loader and the second is to release the encrypted files on the local machine.



Contributors. Do you have a contribution to make for your Zambian audience? Kindly leave a Reply