Similar, But Different
Similar to NotPetya, BadRabbit encrypts files using DiskCryptor and demands a ransom in Bitcoin. However, there are some key differences. There were initial reports that BadRabbit leveraged the EternalBlue SMB exploit to traverse, similar to WannaCry and NotPetya, but my research and that of others has since refuted this. Instead, BadRabbit uses two methods for lateral movement: WMIC and open SMB shares. Also, while NotPetya contained a wiper component, BadRabbit interestingly includes the capability of a wiper, but I haven't seen any evidence of its use. Finally, while WannaCry and NotPetya compromised through more passive victim behavior, BadRabbit requires the victim to actively execute the malicious file. This may be why BadRabbit is - at least initially - seemingly more contained than WannaCry or NotPetya. A vaccine for BadRabbit was also identified relatively early in the community's analysis of the malware. By placing any file at
C:\windows\cscc.dat, the dropper will fail. The BadRabbit execution flow graphic below summarizes the technical details of the subsequent sections.