Recently, the Bad Rabbit ransomware was detected to be rapidly-spreading across Europe.  Now, it was discovered that the Bad Rabbit infection is using an exploit called EternalRomance which is believed to be one of the leaked NSA tools.

The said ransomware functions like Petya ransomware.  Bad Rabbit is a ‘Win32/Diskcoder.D’ malware, a new but similar variant to Petya.  However, Bad Rabbit does not make use of the EternalBlue exploit of the SMB vulnerability which was used previously by Petya and WannaCry ransomware attacks.

The Win32/Diskcoder.C is a trojan that encrypts files on local drives.  The Trojan, however, does not create any copies of itself.  It starts by creating the files C:\Windows\perfc and C:\Windows\dllhost.dat.  After the installation is complete, the trojan deletes the original executable file.  Win32/Diskcoder.C replaces the original MBR (Master Boot Record) of the hard disk drive with its own program code.  The trojan stores the first sector of the original MBR in sector 34 of the new MBR.

Furthermore, the Bad Rabbit also uses “Mimikatz” post-exploitation tool to extract credentials from affected systems.

It is believed that the EternalRomance exploit was obtained from the infamous group Shadow Brokers.

In 2013, a group of hackers known as the Shadow Brokers stole disks full of National Security Agency secrets and have been disclosing these secrets on the internet.  These secrets have exposed major vulnerabilities in Cisco routers, Microsoft Windows, and Linux mail servers, and exploits that led to the WannaCry ransomware outbreak last May 2017.

Furthermore, the Shadow Brokers threatened to release more NSA secrets every month, giving cybercriminals and other governments worldwide even more exploits and hacking tools.

Initially Bad Rabbit was believed to be infecting using a custom scanning mechanism that relied on the SMB protocol.   However, the new research published today by Cisco Talos and F-Secure exposes the Bad Rabbit ransomware similarly used an altered version of an NSA exploit to speed-up the spreading process.

WannaCry was the first reported ransomware attack that utilized an NSA cyber-weapon, deploying the EternalBlue exploit to spread inside infected networks last May 2017.  After a month later, the NotPetya ransomware also used the EternalBlue and EternalRomance exploits for the same purpose of attacking.

In an update to the previous Bad Rabbit reports, Cisco Talos announced that they have found viable evidence of EternalRomance, an NSA exploit that spreads via SMB.

The available exploits affect older versions of Windows, Windows XP through 7, on the client side and 2003-2008 on Windows Server.

EternalRomance is a remote code execution attack that exploits CVE-2017-0145.  What aggravated the WannaCry and NotPetya attacks was the reason that many network infrastructures had SMBv1 exposed to the internet rather than singular workstations.


Researchers at Kaspersky Lab have already confirmed the link between Bad Rabbit and NotPetya, finding resemblances in the hashing algorithm utilized in the two attacks.  Both also have the capability to steal credentials.  Unlike NotPetya, Bad Rabbit is not a wiper attack, Kaspersky Lab confirmed today. Cisco’s Lee also confirmed does not wipe the data.

Since the Bad Rabbit uses the EternalRomance exploit, the said ransomware can now be considered in line with the most formidable ransomware attacks these year, in par with WannaCry, Petya, and NotPetya.

Many of those attacks, however, were already mitigated in MS17-010, a Microsoft security bulletin included patches for vulnerabilities in the SMBv1 protocol abused by these range of exploits.

The said bulletin can be found here:

While patching still proves to be the most highly advised precautionary measure, there is still no solution yet to decrypt the files infected by the Bad Rabbit.  Affected users are strongly advised not to meet the demands of the attackers.


Manny Cuevas

My name is Manny Cuevas a Security Researcher / Engineer for about 15 years that focuses on Web and Mobile applications and other platforms from the Island of Sulu, Philippines. I’m also a scientist, inventor and a top ranked hacker in the world that bypass all security systems.


Leave a Reply

Your email address will not be published. Required fields are marked *