Bad Rabbit – A new Petya ransomware variant

A new Petya Ransomware variant hits Russia and Ukraine

Please join our webcast for additional details regarding this attack.

 Thursday, October 26th, 2017 | Americas – 8:30 AM PDT (4:30 PM UK, 5:30 PM CET)

Introduction

Almost four months after the last major outbreak, we are seeing a new variant of Petya ransomware dubbed “Bad Rabbit,” impacting multiple businesses, primarily in Russia and Ukraine. There have also been reports of businesses impacted in Germany, Turkey, and other countries. The ransomware payload contains a self-propagation module designed to perform lateral movement across the corporate network upon successful infection, which makes this threat highly virulent. The initial infection vector appears to be two Russian news agency sites : fontanka[.]ru and interfax[.]ru.

Bad Rabbit ransomware analysis

Figure 1 – Infection cycle

We saw one active attack cycle in the Zscaler cloud, in which a user at a large enterprise customer attempted to download the new ransomware payload and it was flagged as malicious by the Zscaler Cloud Sandbox module. The user was redirected from the fontanka[.]ru news site to another compromised site, as shown in Figure 1, which serves the ransomware executable payload. The payload in our case was pretending to be an Adobe Flash Player download, as shown below:

Figure 2 – Executable using fake icon

The executable payload is also signed using a fake Symantec-issued certificate as shown below:

Figure 3 – Fake Symantec-issued certifcate [NOT A LEGITIMATE CERTIFICATE]

Upon successful infection, the system will reboot and the end user will see the dreadful ransom screen:

Figure 4 – Bad Rabbit ransom note

The onion site requests the user’s personal installation key, so the user may determine the ransom amount and receive further instructions:

Figure 5 – Onion site for ransom payment instructions

Zscaler ThreatLabZ is actively monitoring this threat and will continue to ensure coverage for Zscaler customers. We will continue to update this blog with additional information as we further analyze the payloads.

Indicators of Compromise

MD5 hashes

fbbdc39af1139aebba4da004475e8839

b14d8faf7f0cbcfad051cefe5f39645f (dropped file)

Compromised intermediate site

1dnscontrol[.]com

Zscaler Coverage

Advanced Threat Signatures

  • Malurl.Gen.XO
  • mal/generic-s.z
  • win32.ransom.diskcoder

Cloud Sandbox report


For more information, reach out to Sales@Ascensiongt.com; 813-434-1974

Leave a Reply