[SingCERT] Advisory on Bad Rabbit Ransomware

Published on Thursday, 26 October 2017 14:30

Background

A new ransomware known as Bad Rabbit was discovered by researchers from Kaspersky Lab and ESET on 24th October 2017. It is reported to have hit corporate networks in Ukraine and Russia, and appeared to be spreading to other countries. The ransomware bears some similarities to the NotPetya outbreak that caused extensive damages in June 2017, but also bear notable differences.

For example, unlike Notpetya, it does not exploit software vulnerabilities, but rely on the traditional click-and-infect method. Basically it tricks victims to download a fake Adobe Flash Installer when they visit compromised websites. This ransomware uses EternalRomance, a remote code execution exploit that will spread itself within the infected organisation’s network through Windows File Sharing protocol to bypass security over file-sharing connections and enabling remote code execution on Windows clients and servers.

Known Compromised Websites

The following websites are currently known to be hosting and spreading the Bad Rabbit Ransomware:

  • argumentiru[.]com
  • www.fontanka[.]ru
  • grupovo[.]bg
  • www.sinematurk[.]com
  • www.aica[.]co[.]jp
  • spbvoditel[.]ru
  • argumenti[.]ru
  • www.mediaport[.]ua
  • blog.fontanka[.]ru
  • an-crimea[.]ru
  • www.t.ks[.]ua
  • most-dnepr[.]info
  • osvitaporta[.]com
  • www.otbrana[.]com
  • calendar.fontanka[.]ru
  • www.grupovo[.]bg
  • www.pensionhotel[.]cz
  • www.online812[.]ru
  • www.imer[.]ro
  • novayagazeta.spb[.]ru
  • i24[.]com
  • bg.pensionhotel[.]com
  • ankerch-crimea[.]ru

Impact

Bad Rabbit is like any other ransomware which encrypts files and prevents the owner from accessing them. Personal, sensitive, or proprietary information may be lost through ransomware infection. This ransomware encrypts commonly used data files including Word Documents and multi-media files (i.e. image, video, audio). A ransom note will be displayed on the infected machines. The victim is expected to pay 0.05 bitcoin (estimated to be about USD$285 at current rate) as ransom to unlock their systems.

Recommendation

SingCERT recommends taking the following measures to prevent yourself from becoming the next victim:

  • Avoid the malicious websites listed above in the "Known Compromised Websites" section.
  • Ensure that your Windows-based systems are fully patched. In particular, security update (MS17-010) should be applied.
  • Practise good web browsing habits to stay safe online:

    • Do not click on suspicious links to websites that you do not recognise or are sent from people you do not know. These websites may contain malicious codes that infect a visitor’s computer with ransomware.

    • More importantly, do not download software from unofficial or disreputable sources. Such software—especially pirated software—may have ransomware or other malicious software bundled with it.

    • For more safe browsing practices, visit https://www.csa.gov.sg/gosafeonline/.    

What to do if your machine is infected:


References

https://www.kaspersky.com/blog/bad-rabbit-ransomware/19887/

https://malwaretips.com/threads/bad-rabbit-ransomware-attack-hits-russia-ukraine.76488/

https://thehackernews.com/2017/10/bad-rabbit-ransomware-attack.html

https://www.darkreading.com/attacks-breaches/bad-rabbit-ransomware-attacks-rock-russia-ukraine---and-beyond/d/d-id/1330208?piddl_msgorder=asc

https://www.cybereason.com/blog/cybereason-researcher-discovers-vaccine-for-badrabbit-ransomware