Bad Rabbit – A new Petya ransomware variant

A new Petya Ransomware variant hits Russia and Ukraine

Please join our webcast for additional details regarding this attack.

 Thursday, October 26th, 2017 | Americas – 8:30 AM PDT (4:30 PM UK, 5:30 PM CET)


Almost four months after the last major outbreak, we are seeing a new variant of Petya ransomware dubbed “Bad Rabbit,” impacting multiple businesses, primarily in Russia and Ukraine. There have also been reports of businesses impacted in Germany, Turkey, and other countries. The ransomware payload contains a self-propagation module designed to perform lateral movement across the corporate network upon successful infection, which makes this threat highly virulent. The initial infection vector appears to be two Russian news agency sites : fontanka[.]ru and interfax[.]ru.

Bad Rabbit ransomware analysis

Figure 1 – Infection cycle

We saw one active attack cycle in the Zscaler cloud, in which a user at a large enterprise customer attempted to download the new ransomware payload and it was flagged as malicious by the Zscaler Cloud Sandbox module. The user was redirected from the fontanka[.]ru news site to another compromised site, as shown in Figure 1, which serves the ransomware executable payload. The payload in our case was pretending to be an Adobe Flash Player download, as shown below:

Figure 2 – Executable using fake icon

The executable payload is also signed using a fake Symantec-issued certificate as shown below:

Figure 3 – Fake Symantec-issued certifcate [NOT A LEGITIMATE CERTIFICATE]

Upon successful infection, the system will reboot and the end user will see the dreadful ransom screen:

Figure 4 – Bad Rabbit ransom note

The onion site requests the user’s personal installation key, so the user may determine the ransom amount and receive further instructions:

Figure 5 – Onion site for ransom payment instructions

Zscaler ThreatLabZ is actively monitoring this threat and will continue to ensure coverage for Zscaler customers. We will continue to update this blog with additional information as we further analyze the payloads.

Indicators of Compromise

MD5 hashes


b14d8faf7f0cbcfad051cefe5f39645f (dropped file)

Compromised intermediate site


Zscaler Coverage

Advanced Threat Signatures

  • Malurl.Gen.XO
  • mal/generic-s.z
  • win32.ransom.diskcoder

Cloud Sandbox report

For more information, reach out to; 813-434-1974

Related Posts

Leave a Reply

About Us

"AGT" offers complete end-to-end security protection through technology tools, cybersecurity strategy, consulting, and project management services. From addressing specific security gaps to a full environment cybersecurity strategy. With services designed to improve any organization’s overall organizational security posture, AGT develops strategies to implement and deploy successful cybersecurity solutions to protect companies from data and financial loss.