Verodin Alert: Bad Rabbit

On Tuesday, October 24, a new wave of ransomware attacks, “Bad Rabbit," emerged into the wild. Bad Rabbit primarily targeted organizations in Russia and Ukraine, but now reports of the attacks are surfacing in many other countries including the United States. Bad Rabbit ransomware attacks are successfully infiltrating computer systems posing as an Adobe Flash update. The malicious update locks down the user’s system and demands payment to release stolen data files.

Bad Rabbit is the latest of several international ransomware headlines in 2017. Pictured above is the Bad Rabbit ransom note which triggers flashbacks of the NotPetya outbreak from a few months back. Similar to the NotPetya ransomware attacks, Bad Rabbit can propagate laterally across target networks through SMB. It appears that Bad Rabbit accomplishes this without using EternaBlue. Organizations need a system in place to continuously validate that their security controls are properly optimized to defend against this type of emerging threat.

The Verodin Security Instrumentation Platform (SIP) empowers customers with the ability to safely challenge and validate their defenses against Bad Rabbit and communicate security effectiveness to executive management. The Verodin Behavior Research Team (BRT) developed and distributed an emergency content update with nine new actions illustrating the Bad Rabbit threat. The Verodin community has access to these updates via their respective portals. See brief descriptions of the Bad Rabbit attack behaviors below which were issued for immediate release earlier this week.

VID: A103-075: Malicious File Transfer – Bad Rabbit Compromised Legitimate Website

This action uses javascript code that is injected into legitimate websites. The actors behind Bad Rabbit Injected this code into legitimate websites that intended victims are likely to visit.

VID: A103-076: Malicious File Transfer – Bad Rabbit Dropper Download

An action that transfers a fake flash update to watering hole victims. It is very important to confirm this executable is blocked by network defenses.

VID: A103-077: Malicious File Transfer – Bad Rabbit Ransomware Component Download, Mimikatz – Variant 1

An action to transfer mimikatz.tmp, a malicious file with mimikatz-like functionality. This TMP file was not directly observed by Verodin BRT, but has been widely reported. It is likely that the file would have a different name if observed during the compromise. Although this file is dropped by Bad Rabbit’s primary payload, this action should be used to validate malware detection of file transfers.

VID: A103-078: Malicious File Transfer – Bad Rabbit Ransomware Component Download, Mimikatz – Varient 2

An action to transfer mimikatz.tmp, a malicious file with mimikatz like functionality. This TMP file was not directly observed by Verodin BRT, but has been widely reported. It is likely that the file would have a different name if observed during the compromise. Although this file is dropped by Bad Rabbit’s primary payload, this action should be used to validate malware detection of file transfers.

VID: A103-079: Malicious File Transfer – Bad Rabbit Ransomware Component Download, 959F.tmp

An action to transfer 959F.tmp, a malicious file which has mimikatz like functionality to steal credentials from memory. Although this file is dropped by Bad Rabbit’s primary payload, this action should be used to validate malware detection of file transfers.

VID: A103-080: Malicious File Transfer – Bad Rabbit Component Download, Lock Screen

An action that downloads the screen lock portion of Bad Rabbit. Although this file is dropped by Bad Rabbit’s primary payload, this action should be used to validate malware detection of file transfers.

VID: A103-081: Malicious File Transfer – Bad Rabbit Ransomware Component Download, cscc.dat

An action to transfer cscc.dat, a malicious file which has the functionality to encrypt a target’s files. Although this file is dropped by Bad Rabbit’s primary payload, this action should be used to validate malware detection of file transfers.

VID: A103-086: Host Action – Ransomware, Bad Rabbit Scheduled Task, Shutdown

This action schedules a shutdown of the infected system.

VID: A103-087: Host Action – Ransomware, Bad Rabbit, Clear Event Logs

An action that clears out event logs with command syntax identical to Bad Rabbit’s.

For customers with a Protected Theater license, there will be an additional four actions available in a second content pack found under the content section of the “Protected Theater” page on the Customer Portal (mouse over the Product menu and select “Protected Theater” from the menu drop-down).  This content pack consists of the following actions:

VID: A103-082: Host Action – Ransomware, Bad Rabbit Dropper Execution

This action executes a fake flash update executable used by Bad Rabbit. The executable drops disk encryption, credential stealing, and lateral movement components.

VID: A103-083: Host Action – Ransomware, Bad Rabbit Diskcoder Execution

An action demonstrating the execution of the Bad Rabbit Ransomware Diskcoder component on an infected host.

VID: A103-084:  Host Action – Ransomware, Bad Rabbit Mimikatz Execution, 959F.tmp

This action executes a credential-stealing component of Bad Rabbit. It has been reported that this file shares similar functionality to mimikatz.exe.

VID: A103-085: Host Action – Ransomware, Bad Rabbit Scheduled Task, dispci.exe

This action schedules a Bad Rabbit executable to run on startup. This behavior is used as a persistence mechanism during infection.

Content Availability: In addition to content distributed by the Verodin Behavioral Research Team (BRT), Verodin’s open content platform allows for customers to develop custom actions, evaluations, and sequences as needed with 3rd party attack data. Drag and drop PCAP into the Verodin console and easily weaponize in under five minutes.

ABOUT VERODIN

Verodin is the first business platform to measure, manage and improve cybersecurity effectiveness.

The Verodin Security Instrumentation Platform (SIP) empowers enterprises to remove assumptions and prove their security effectiveness with quantifiable, evidence-based data. With Verodin SIP, you can observe and adjust real responses to real attacks without ever putting production systems in danger. Verodin customers dramatically increase the ROI of their existing security investments, achieve maximum value from future spending and measurably mature their cyber prevention, detection and response capabilities.

back to blog
Business Need
technology
company
resources
blog