A new globally-threatening ransomware emerged this year.   Dubbed as Bad Rabbit Ransomware, said ransomware is now rapidly spreading across Europe.  It has infected almost 200 major organizations in Russia, Ukraine, Turkey and Germany.

Ransomware is a type of malware that prevents or limits users from accessing their system, either by locking the system’s screen or by locking the users’ files unless a ransom is paid. More modern ransomware families, collectively categorized as crypto-ransomware, encrypt certain file types on infected systems and forces users to pay the ransom through certain online payment methods to get a decrypt key.

Users may encounter this threat through a variety of means. Ransomware can be downloaded onto systems when unwitting users visit malicious or compromised websites. It can also arrive as a payload either dropped or downloaded by other malware. Some ransomware are known to be delivered as attachments from spammed email, downloaded from malicious pages through malvertisements, or dropped by exploit kits onto vulnerable systems.

Earlier this year, two devastating ransomwares shook the cyber-world, WannaCry and Petya ransomwares.  Because of these two, numerous firms across the globe were greatly affected and cyber-security firms began again in increasing their security measures and precautions.

The said ransomware functions like Petya ransomware.  Bad Rabbit is a ‘Win32/Diskcoder.D’ malware, a new but similar variant to Petya.  However, Bad Rabbit does not make use of the EternalBlue exploit of the SMB vulnerability which was used previously by Petya and WannaCry ransomware attacks.

The Win32/Diskcoder.C is a trojan that encrypts files on local drives.  The Trojan, however, does not create any copies of itself.  It starts by creating the files C:\Windows\perfc and C:\Windows\dllhost.dat.  After the installation is complete, the trojan deletes the original executable file.  Win32/Diskcoder.C replaces the original MBR (Master Boot Record) of the hard disk drive with its own program code.  The trojan stores the first sector of the original MBR in sector 34 of the new MBR.

Furthermore, the Bad Rabbit also uses “Mimikatz” post-exploitation tool to extract credentials from affected systems.

Bad Rabbit was distributed to systems via drive-by-download attacks such as recreated Adobe Flash player installers to trick victims in installing the said malware.  Upon complete infection, like most ransomwares, most files will get encrypted and a notice is displayed on the screen asking for a payment of 0.05 bitcoin or roughly 285 USD to decrypt the locked computer files.

The following is the screenshot of the notice:

The ransomware demands that the affected user access the TOR browser to be able to visit the attacker’s website and make the corresponding payment.

The following is the screenshot of the page of the attackers as viewed from TOR:


Fearsome or not, the new Bad Rabbot ransomware still has traces to globally-alarming ransomwares, and even if the attackers will not make much money off ransom payments, Bad Rabbit was still collecting credentials and other data from infected machines, which could be valuable fodder for future attacks.

Accordingly, for average computer users, it is always advised not to click on unrecognized emails and links, as well as to avoid browsing from untrusted websites.  Be wary of suspicious of uninvited documents sent over an email and never click on links inside those documents unless verifying the source.  Keep a good backup schedule in place that makes their copies to an external storage device that is not always connected to your PC.  Lastly, always keep antivirus software and systems updated to protect against latest threats.


Manny Cuevas

My name is Manny Cuevas a Security Researcher / Engineer for about 15 years that focuses on Web and Mobile applications and other platforms from the Island of Sulu, Philippines. I’m also a scientist, inventor and a top ranked hacker in the world that bypass all security systems.


Leave a Reply

Your email address will not be published. Required fields are marked *