A new Petya Ransomware variant hits Russia and Ukraine
Please join our webcast for additional details regarding this attack.
Thursday, October 26th, 2017 | Americas – 8:30 AM PDT (4:30 PM UK, 5:30 PM CET)
Almost four months after the last major outbreak, we are seeing a new variant of Petya ransomware dubbed “Bad Rabbit,” impacting multiple businesses, primarily in Russia and Ukraine. There have also been reports of businesses impacted in Germany, Turkey, and other countries. The ransomware payload contains a self-propagation module designed to perform lateral movement across the corporate network upon successful infection, which makes this threat highly virulent. The initial infection vector appears to be two Russian news agency sites : fontanka[.]ru and interfax[.]ru.
Bad Rabbit ransomware analysis
Figure 1 – Infection cycle
We saw one active attack cycle in the Zscaler cloud, in which a user at a large enterprise customer attempted to download the new ransomware payload and it was flagged as malicious by the Zscaler Cloud Sandbox module. The user was redirected from the fontanka[.]ru news site to another compromised site, as shown in Figure 1, which serves the ransomware executable payload. The payload in our case was pretending to be an Adobe Flash Player download, as shown below:
Figure 2 – Executable using fake icon
The executable payload is also signed using a fake Symantec-issued certificate as shown below:
Figure 3 – Fake Symantec-issued certifcate [NOT A LEGITIMATE CERTIFICATE]
Upon successful infection, the system will reboot and the end user will see the dreadful ransom screen:
Figure 4 – Bad Rabbit ransom note
The onion site requests the user’s personal installation key, so the user may determine the ransom amount and receive further instructions:
Figure 5 – Onion site for ransom payment instructions
Zscaler ThreatLabZ is actively monitoring this threat and will continue to ensure coverage for Zscaler customers. We will continue to update this blog with additional information as we further analyze the payloads.
Indicators of Compromise
b14d8faf7f0cbcfad051cefe5f39645f (dropped file)
Compromised intermediate site
Advanced Threat Signatures
Cloud Sandbox report
For more information, reach out to Sales@Ascensiongt.com; 813-434-1974