BadRabbit Ransomware

reverseengineering
hacking
malware

#1

With the spreading of the new version of Petya/NotPetya Ransomware, called as BadRabbit, I thought it would be a nice idea to sum up it’s targets, potential damage & the found vaccination to prevent it from infecting others.

Propagation technique: fake Adobe Flash update.

Potential Damage:
-Encrypts files with selected extensions (using AES + RSA).
-Scans our Local Area Network (LAN), in order to spread to other machines.
-Master Boot Record is overwritten with the malicious bootloader and the kernel, that is meant to deploy the low level attack after the reboot.

All the details can be found here: https://www.guidemehere.com/say-hi-newer-version-petyanotpetya-ransomware-badrabbit/

Feedbacks are most welcome.


(oaktree) #3

Hi there @brijesh:

If you’re going to link to another article here, you should sum up the main points here as well, and then prompt a discussion. Check out this post from @ricksanchez.

Thanks,
staff


#4

Alright @oaktree. Will definitely take care next time.


(oaktree) #5

@brijesh, you should edit this post.


#6

Done. Please verify.


(mad scientist and king skid) #7

Already an improvement by 100% imho.
Still a few things to note from my PoV:

  • use bullet points instead of * or -
  • work on your formatting, to appeal to the reader
  • try to make your post interesting even if it is just news (give details, give your own thoughts, provide some questions for further discussion)
  • use appropriate headlines (size + content)
  • don’t rush when creating a topic. take your time and think about what message you want to deliver
  • etc… (there’s still a lot more, also covered in the “how to structure a post”)

~peace


#8

Will try and adapt the points you mentioned in the next topic.


#9

Also, he needs to use this picture to illustrate a very bad rabbit…


#10

:smile: Way to go buddy. Next time I’m consulting you for the graphics.


(xox) #11

Anyone got a valid sample file? I found only parts, not actual dropper.


#12

Here is the link to the original dropper sample: https://www.virustotal.com/#/file/630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da/details


#13

Second this.
I don’t have a VT Intelligence license to be able to download BadRabbit.


(xox) #14

Me neither, that’s why i asked, i saw this link already.


#15

I think this is the correct place to post this. If not, please let me know where one should post articles related to topics such as this.

MalwareUnicorn recently released her analysis on BadRabbit. I found it very thorough and wanted to share it with you all.

Mitigating BadRabbit

“By placing any file at C:\windows\cscc.dat, the dropper will fail.”

Her Summary

“BadRabbit joins WannaCry and NotPetya among the list of global ransomware attacks in 2017. However, there are many differences between BadRabbit and the other attacks that are missed when simply lumping them all together. BadRabbit does not use the EternalBlue exploit, but demonstrates yet again how these attacks continue to evolve and innovate their evasive techniques. I’ll be keeping an eye on BadRabbit, and future variants, as these attacks evolve. The Appendix below provides additional information, including those GoT and Hackers references that are making headlines. And as always, be wary of pop-up updates, which are an incredibly popular mode of compromise.”


(Ya...sqrt(zero-knowledge)²) #16

@REal0day you are right about malwareunicorn i think she is the first one who know about C:\windows\cscc.dat and this information give to me a great ready to open other thinks . :slight_smile:


(Justin Wang) #17

So many similar ones that just keep popping up


(Command-Line Ninja) #18

This topic was automatically closed after 4 days. New replies are no longer allowed.


(system) #19

(oaktree) #20