Bad Rabbit Ransomware

Original Issue Date:- October 25, 2017
Type:- Ransomware
Severity:- Medium

A large scale ransomware campaign dubbed "bad rabbit" is reported spreading. Initial information indicates genuine sites were compromised [watering hole style attack] and that directed victims to a fake Flash update that downloaded the malicious Bad Rabbit executable. User action is required for the dropper (630325cac09 ac3fab908f 903e3b00d0 dadd5fdaa0 875ed8496f cbb97a558d0da) to start the infection, which contains the BAD RABBIT ransomware component. Bad Rabbit ransomware uses DiskCryptor, an open source full drive encryption software, to encrypt files on infected computers with RSA 2048 keys. The ransomware targets MBR also rendering the system unusable. The malware is capable to laterally move via open SMB shares, with hardcoded list of credentials to drop malware, and also uses Mimikatz post-exploitation tool to dump credentials from the affected systems.

Indicators of Compromise (IoC):
URLs:

  • 1dnscontrol[.]com/index.php - fake Flash download URI
  • 1dnscontrol[.]com/flash_install.php - fake Flash download URI
  • 185[.]149[.]120[.]3/scholargoogle/ - URI called out to from watering hole sites
  • caforssztxqzf2nm.onion
Watering hole sites:
  • Fontanka[.]ru - Referrer to 1dnscontrol[.]com
  • Adblibri[.]ro - Referrer to 1dnscontrol[.]com
  • Spbvoditel[.]ru - Referrer to 1dnscontrol[.]com
  • Grupovo[.]bg - Referrer to 1dnscontrol[.]com
  • sinematurk[.]com - Referrer to 1dnscontrol[.]com
  • argumenti[.]ru - Referrer to 1dnscontrol[.]com
Hashes
  • 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da - fake flash installer
  • 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93 - C:\Windows\dispci.exe associated with DiskCryptor
  • 682ADCB55FE4649F7B22505A54A9DBC454B4090FC2BB84AF7DB5B0908F3B7806 - C:\Windows\cscc.dat (x32 diskcryptor drv) associated with DiskCryptor
  • 0b2f863f4119dc88a22cc97c0a136c88a0127cb026751303b045f7322a8972f6 - associated with DiskCryptor
  • 579FD8A0385482FB4C789561A30B09F25671E86422F40EF5CCA2036B28F99648 - C:\Windows\infpub.dat [malicious DLL with some similarities to Nyetya]
  • 2f8c54f9fa8e47596a3beff0031f85360e56840c77f71c6a573ace6f46412035 - Mimikatz x86
  • 301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c - Mimikatz x64
Scheduled Tasks names
  • viserion_
  • rhaegal
  • drogon

Mitigation/Countermeasures

  • Block the execution of files c:\windows\infpub.dat and c:\Windows\cscc.dat.
  • Secure use of WMI by authorizing WMI users and setting permissions / Disable or limit remote WMI and file sharing.
  • Configure access controls, including file, directory, and network share permissions with the principle of least privilege in mind.
  • Block remote execution through PSEXEC.
  • Enable Anti-ransomware folder protection feature added in Windows 10 v1709
    https://blogs.technet.microsoft.com/mmpc/2017/10/23/stopping-ransomware-where-it-counts-protecting-your-data-with-controlled-folder-access/
  • Consider deploying Microsoft LAPS[Local Administrator Password Solution]" which ensures that each domain-joined host in an organisation has unique Local Administrator credentials, preventing ransomware from using the extracted credentials to spread laterally
    https://technet.microsoft.com/en-us/mt227395.aspx
  • Limit lateral communication with necessary host-based firewall rules.
  • Disable SMBv1 and block all versions of SMB at the network boundary by blocking TCP port 445 with related protocols on UDP ports 137-138 and TCP port 139; this applies to all boundary devices.
  • Check for unusual scheduled tasks
  • Restrict execution of powershell /WSCRIPT in enterprise environment Ensure installation and use of the latest version (currently v5.0) of PowerShell, with enhanced logging enabled. script block logging, and transcription enabled. Send the associated logs to a centralized log repository for monitoring and analysis.
  • Perform regular backups of all critical information to limit the impact of data or system loss and to help expedite the recovery process. Ideally, this data should be kept on a separate device, and backups should be stored offline.
  • Establish a Sender Policy Framework (SPF),Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) for your domain, which is an email validation system designed to prevent spam by detecting email spoofing by which most of the ransomware samples successfully reaches the corporate email boxes
  • Consider installing Enhanced Mitigation Experience Toolkit, or similar host-level anti-exploitation tools.
  • Follow safe practices when browsing the web. Ensure the web browsers are secured enough with appropriate content controls. Consider Click to enable features.
  • Network segmentation and segregation into security zones - help protect sensitive information and critical services. Separate administrative network from business processes with physical controls and Virtual Local Area Networks.
  • Disable remote Desktop Connections, employ least-privileged accounts.
  • Always Update software from the relevant vendor sites.
  • Enforce application whitelisting on all endpoint workstations. This willprevent droppers or unauthorized software from gaining execution onendpoints

References