BadRabbit Technical Analysis

BadRabbit Technical Analysis
On October 12th, Ukraine's SBU security service warned of an imminent attack against government and private institutions similar to the NotPetya attack in June. Two months earlier, the SBU made a similar warning, noting that a second wave of attacks could follow if attackers maintained covert, unauthorized privileged access. These warnings seemed to bear fruit yesterday, as a new ransomware variant called BadRabbit struck. Named after the dark web-based site where the attackers demand the ransom, BadRabbit first hit three Russian media outlets, including Interfax, as well as the Kiev metro system and Odessa airport. Subsequently, BadRabbit has hit hundreds of organizations, largely in Ukraine and Russia, but it also has spread within Europe, including Turkey and Germany, and US-CERT notes discoveries in the United States as well. The impact and research into BadRabbit remains ongoing, but already there are useful insights and missteps that have occurred. To help separate the facts from rumors, this post provides a technical deep dive into BadRabbit.


Similar, But Different
Similar to NotPetya, BadRabbit encrypts files using DiskCryptor and demands a ransom in Bitcoin. However, there are some key differences. There were initial reports that BadRabbit leveraged the EternalBlue SMB exploit to traverse, similar to WannaCry and NotPetya, but my research and that of others has since refuted this. Instead, BadRabbit uses two methods for lateral movement: WMIC and open SMB shares. Also, while NotPetya contained a wiper component, BadRabbit interestingly includes the capability of a wiper, but I haven't seen any evidence of its use. Finally, while WannaCry and NotPetya compromised through more passive victim behavior, BadRabbit requires the victim to actively execute the malicious file. This may be why BadRabbit is - at least initially - seemingly more contained than WannaCry or NotPetya. A vaccine for BadRabbit was also identified relatively early in the community's analysis of the malware. By placing any file at C:\windows\cscc.dat, the dropper will fail. The BadRabbit execution flow graphic below summarizes the technical details of the subsequent sections.