Skip to content

Instantly share code, notes, and snippets.

@roycewilliams

roycewilliams/badrabbit-info.txt

Last active June 17, 2022 11:18
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save roycewilliams/a723aaf8a6ac3ba4f817847610935cfb to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save roycewilliams/a723aaf8a6ac3ba4f817847610935cfb to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. roycewilliams revised this gist Oct 27, 2017. 1 changed file with 5 additions and 2 deletions.
    7 changes: 5 additions & 2 deletions badrabbit-info.txt
    View file
    Original file line number Diff line number Diff line change
    @@ -234,9 +234,12 @@ Coverage and news
    The Hacker News:
    https://thehackernews.com/2017/10/bad-rabbit-ransomware-attack.html

    FireEye
    FireEye:
    https://www.fireeye.com/blog/threat-research/2017/10/backswing-pulling-a-badrabbit-out-of-a-hat.html


    Cylance:
    https://www.cylance.com/en_us/blog/threat-spotlight-bad-rabbit-ransomware.html

    PC Magazine:
    https://www.pcmag.com/news/356977/badrabbit-ransomware-targets-systems-in-russia-ukraine

  2. roycewilliams revised this gist Oct 27, 2017. 1 changed file with 3 additions and 0 deletions.
    3 changes: 3 additions & 0 deletions badrabbit-info.txt
    View file
    Original file line number Diff line number Diff line change
    @@ -262,5 +262,8 @@ Coverage and news
    Intezer (code reuse analysis):
    http://www.intezer.com/notpetya-returns-bad-rabbit/

    cert.ro (larger list of sites):
    https://cert.ro/citeste/bad-rabbit-o-noua-campanie-ransomware

    Hackplayers (Spanish - in fact, it looks like they translated an earlier version of my document!)
    http://www.hackplayers.com/2017/10/badrabbit-que-es-lo-que-hay-que-saber-de-momento.html
  3. roycewilliams revised this gist Oct 27, 2017. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion badrabbit-info.txt
    View file
    Original file line number Diff line number Diff line change
    @@ -6,7 +6,7 @@ Requires user interaction.
    Mostly targeting Russia and Ukraine so far, with a few others (Germany, Turkey, Bulgaria, Montenegro ...)
    Not globally self-propagating, but could be inflicted on selected targets on purpose.
    May be part of same group targeting Ukraine generally (BACKSWING) (per FireEye)
    Confirmed to use ETERNALROMANCE exploit (per Talos)
    Confirmed to use ETERNALROMANCE exploit, and same source code and build chain as NotPetya (per Talos)
    Mitigations are similar to Petya/NotPetya resistance. An inoculation is also available (see below).
    Supporting infrastructure shut down a few hours after starting (per Beaumont, Motherboard)
    Very cool diagram of infection flow at Endgame by @malwareunicorn:
  4. roycewilliams revised this gist Oct 27, 2017. 1 changed file with 1 addition and 0 deletions.
    1 change: 1 addition & 0 deletions badrabbit-info.txt
    View file
    Original file line number Diff line number Diff line change
    @@ -6,6 +6,7 @@ Requires user interaction.
    Mostly targeting Russia and Ukraine so far, with a few others (Germany, Turkey, Bulgaria, Montenegro ...)
    Not globally self-propagating, but could be inflicted on selected targets on purpose.
    May be part of same group targeting Ukraine generally (BACKSWING) (per FireEye)
    Confirmed to use ETERNALROMANCE exploit (per Talos)
    Mitigations are similar to Petya/NotPetya resistance. An inoculation is also available (see below).
    Supporting infrastructure shut down a few hours after starting (per Beaumont, Motherboard)
    Very cool diagram of infection flow at Endgame by @malwareunicorn:
  5. roycewilliams revised this gist Oct 27, 2017. 1 changed file with 1 addition and 0 deletions.
    1 change: 1 addition & 0 deletions badrabbit-info.txt
    View file
    Original file line number Diff line number Diff line change
    @@ -5,6 +5,7 @@ BadRabbit is locally-self-propagating ransomware (ransom: 0.05 BTC), spreading v
    Requires user interaction.
    Mostly targeting Russia and Ukraine so far, with a few others (Germany, Turkey, Bulgaria, Montenegro ...)
    Not globally self-propagating, but could be inflicted on selected targets on purpose.
    May be part of same group targeting Ukraine generally (BACKSWING) (per FireEye)
    Mitigations are similar to Petya/NotPetya resistance. An inoculation is also available (see below).
    Supporting infrastructure shut down a few hours after starting (per Beaumont, Motherboard)
    Very cool diagram of infection flow at Endgame by @malwareunicorn:
  6. roycewilliams revised this gist Oct 27, 2017. 1 changed file with 3 additions and 0 deletions.
    3 changes: 3 additions & 0 deletions badrabbit-info.txt
    View file
    Original file line number Diff line number Diff line change
    @@ -231,6 +231,9 @@ Coverage and news

    The Hacker News:
    https://thehackernews.com/2017/10/bad-rabbit-ransomware-attack.html

    FireEye
    https://www.fireeye.com/blog/threat-research/2017/10/backswing-pulling-a-badrabbit-out-of-a-hat.html

    PC Magazine:
    https://www.pcmag.com/news/356977/badrabbit-ransomware-targets-systems-in-russia-ukraine
  7. roycewilliams revised this gist Oct 26, 2017. 1 changed file with 4 additions and 1 deletion.
    5 changes: 4 additions & 1 deletion badrabbit-info.txt
    View file
    Original file line number Diff line number Diff line change
    @@ -101,7 +101,10 @@ Components and methods:

    13% code reuse of notpeyta
    https://analyze.intezer.com/#/analyses/d41e8a98-a106-4b4f-9b7c-fd9e2c80ca7d


    Good analysis from @bartblaze of similarities between NotPetya and BadRabbit:
    https://bartblaze.blogspot.com/2017/10/comparing-eternalpetya-and-badrabbit.html

    May be a variant of Diskcoder, per ESET

    LIVE SAMPLE (see tweet for password, use at your own risk):
  8. roycewilliams revised this gist Oct 26, 2017. 1 changed file with 2 additions and 1 deletion.
    3 changes: 2 additions & 1 deletion badrabbit-info.txt
    View file
    Original file line number Diff line number Diff line change
    @@ -250,7 +250,8 @@ Coverage and news
    Qualys:
    https://threatprotect.qualys.com/2017/10/24/bad-rabbit-ransomware/
    https://blog.qualys.com/news/2017/10/24/bad-rabbit-ransomware
    Intezer:

    Intezer (code reuse analysis):
    http://www.intezer.com/notpetya-returns-bad-rabbit/

    Hackplayers (Spanish - in fact, it looks like they translated an earlier version of my document!)
  9. roycewilliams revised this gist Oct 26, 2017. 1 changed file with 2 additions and 0 deletions.
    2 changes: 2 additions & 0 deletions badrabbit-info.txt
    View file
    Original file line number Diff line number Diff line change
    @@ -250,6 +250,8 @@ Coverage and news
    Qualys:
    https://threatprotect.qualys.com/2017/10/24/bad-rabbit-ransomware/
    https://blog.qualys.com/news/2017/10/24/bad-rabbit-ransomware
    Intezer:
    http://www.intezer.com/notpetya-returns-bad-rabbit/

    Hackplayers (Spanish - in fact, it looks like they translated an earlier version of my document!)
    http://www.hackplayers.com/2017/10/badrabbit-que-es-lo-que-hay-que-saber-de-momento.html
  10. roycewilliams revised this gist Oct 26, 2017. 1 changed file with 2 additions and 0 deletions.
    2 changes: 2 additions & 0 deletions badrabbit-info.txt
    View file
    Original file line number Diff line number Diff line change
    @@ -24,6 +24,8 @@ Targets/victims
    Mostly affecting .ru/.ua so far. Media outlets, transportation, gov may have been early targets.
    Watering holes in Germany, Turkey, Bulgaria, Montenegro.
    Avast says also Poland and South Korea?
    Good summray thread of country coverage from @Steve3D and contributors (no US *infections* known)
    https://twitter.com/SteveD3/status/923186304963284992
    Avast says some US have been detected (as @Steve3D notes, detected != infected)
    McAfee says no US detected yet
    https://twitter.com/avast_antivirus/status/922941896439291904
  11. roycewilliams revised this gist Oct 26, 2017. 1 changed file with 2 additions and 0 deletions.
    2 changes: 2 additions & 0 deletions badrabbit-info.txt
    View file
    Original file line number Diff line number Diff line change
    @@ -32,6 +32,8 @@ Targets/victims
    https://twitter.com/Bing_Chris/status/923204408539844609
    Map (indirectly sourced from Avast PR?)
    https://twitter.com/Bing_Chris/status/922932810725326848
    Better source, later in the timeline:
    https://blog.avast.com/its-rabbit-season-badrabbit-ransomware-infects-airports-and-subways

    List of targeted file extensions:
    Image Tweet: https://twitter.com/craiu/status/922877184494260227
  12. roycewilliams revised this gist Oct 25, 2017. 1 changed file with 4 additions and 1 deletion.
    5 changes: 4 additions & 1 deletion badrabbit-info.txt
    View file
    Original file line number Diff line number Diff line change
    @@ -189,7 +189,10 @@ Coverage and news

    Kaspersky:
    https://www.kaspersky.com/blog/bad-rabbit-ransomware/19887/
    https://securelist.com/bad-rabbit-ransomware/82851/
    https://securelist.com/bad-rabbit-ransomware/82851

    Avast:
    https://blog.avast.com/its-rabbit-season-badrabbit-ransomware-infects-airports-and-subways

    McAfee:
    https://securingtomorrow.mcafee.com/mcafee-labs/badrabbit-ransomware-burrows-russia-ukraine/
  13. roycewilliams revised this gist Oct 25, 2017. 1 changed file with 2 additions and 0 deletions.
    2 changes: 2 additions & 0 deletions badrabbit-info.txt
    View file
    Original file line number Diff line number Diff line change
    @@ -28,6 +28,8 @@ Targets/victims
    McAfee says no US detected yet
    https://twitter.com/avast_antivirus/status/922941896439291904
    https://twitter.com/SteveD3/status/922964771967848449
    Check Point says some US detections
    https://twitter.com/Bing_Chris/status/923204408539844609
    Map (indirectly sourced from Avast PR?)
    https://twitter.com/Bing_Chris/status/922932810725326848

  14. roycewilliams revised this gist Oct 25, 2017. 1 changed file with 2 additions and 1 deletion.
    3 changes: 2 additions & 1 deletion badrabbit-info.txt
    View file
    Original file line number Diff line number Diff line change
    @@ -24,7 +24,8 @@ Targets/victims
    Mostly affecting .ru/.ua so far. Media outlets, transportation, gov may have been early targets.
    Watering holes in Germany, Turkey, Bulgaria, Montenegro.
    Avast says also Poland and South Korea?
    Avast says some US have been detected, but no details yet; McAfee says no US detected yet
    Avast says some US have been detected (as @Steve3D notes, detected != infected)
    McAfee says no US detected yet
    https://twitter.com/avast_antivirus/status/922941896439291904
    https://twitter.com/SteveD3/status/922964771967848449
    Map (indirectly sourced from Avast PR?)
  15. roycewilliams revised this gist Oct 25, 2017. 1 changed file with 3 additions and 0 deletions.
    3 changes: 3 additions & 0 deletions badrabbit-info.txt
    View file
    Original file line number Diff line number Diff line change
    @@ -231,6 +231,9 @@ Coverage and news
    Malwarebytes (@hasherezade):
    https://blog.malwarebytes.com/threat-analysis/2017/10/badrabbit-closer-look-new-version-petyanotpetya/

    RiskIQ:
    https://www.riskiq.com/blog/labs/badrabbit/

    Endgame analysis (@malwareunicorn):
    https://www.endgame.com/blog/technical-blog/badrabbit-technical-analysis

  16. roycewilliams revised this gist Oct 25, 2017. No changes.
  17. roycewilliams revised this gist Oct 25, 2017. 1 changed file with 3 additions and 0 deletions.
    3 changes: 3 additions & 0 deletions badrabbit-info.txt
    View file
    Original file line number Diff line number Diff line change
    @@ -70,6 +70,9 @@ Components and methods:

    Apparently clears Windows logs and the filesystem journal, per ESET and Carbon Black
    Uses wevtutil cmdline

    Appears to be McAfee-aware:
    https://twitter.com/ValthekOn/status/923143946796183552

    May incorporate copy-and-pasted Microsoft cert/signing?
    https://twitter.com/gN3mes1s/status/922907460842721281
  18. roycewilliams revised this gist Oct 25, 2017. 1 changed file with 2 additions and 0 deletions.
    2 changes: 2 additions & 0 deletions badrabbit-info.txt
    View file
    Original file line number Diff line number Diff line change
    @@ -110,6 +110,8 @@ Components and methods:
    Detection:
    Yara rule (from a McAfee lead engineer)
    https://pastebin.com/Y7pJv3tK
    Another Yara, including Mimikatz:
    https://github.com/Neo23x0/signature-base/blob/master/yara/crime_badrabbit.yar

    IOCs (via ESET)

  19. roycewilliams revised this gist Oct 25, 2017. 1 changed file with 2 additions and 0 deletions.
    2 changes: 2 additions & 0 deletions badrabbit-info.txt
    View file
    Original file line number Diff line number Diff line change
    @@ -42,6 +42,8 @@ Components and methods:
    May be using EternalBlue (or at least triggers controls that are watching for its use?), Unit 42 sees no sign of this
    Incorporates stripped-down Mimikatz to discover credentials for propagation.
    https://twitter.com/gentilkiwi/status/922945304172875778
    Named "rabbitlib.dll"
    https://twitter.com/cherepanov74/status/923207933332283392
    Overwrites MBR to deliver ransom message.
    Ransom message directs users to Tor-based (.onion) site
    Gives a "please turn off antivirus" user message in some circumstances.
  20. roycewilliams revised this gist Oct 25, 2017. 1 changed file with 3 additions and 0 deletions.
    3 changes: 3 additions & 0 deletions badrabbit-info.txt
    View file
    Original file line number Diff line number Diff line change
    @@ -149,6 +149,9 @@ Money trail
    https://blockchain.info/address/1GxXGMoz7HAVwRDZd7ezkKipY4DHLUqzmM
    https://blockchain.info/address/17GhezAiRhgB8DGArZXBkrZBFTGCC9SQ2Z

    Only a few transactions (@ChristiaanBeek):
    https://twitter.com/ChristiaanBeek/status/923264222699585536

    Coverage and news

    ESET (very good tech coverage):
  21. roycewilliams revised this gist Oct 25, 2017. 1 changed file with 2 additions and 0 deletions.
    2 changes: 2 additions & 0 deletions badrabbit-info.txt
    View file
    Original file line number Diff line number Diff line change
    @@ -7,6 +7,8 @@ Mostly targeting Russia and Ukraine so far, with a few others (Germany, Turkey,
    Not globally self-propagating, but could be inflicted on selected targets on purpose.
    Mitigations are similar to Petya/NotPetya resistance. An inoculation is also available (see below).
    Supporting infrastructure shut down a few hours after starting (per Beaumont, Motherboard)
    Very cool diagram of infection flow at Endgame by @malwareunicorn:
    https://www.endgame.com/blog/technical-blog/badrabbit-technical-analysis

    Initial infection:

  22. roycewilliams revised this gist Oct 25, 2017. 1 changed file with 5 additions and 0 deletions.
    5 changes: 5 additions & 0 deletions badrabbit-info.txt
    View file
    Original file line number Diff line number Diff line change
    @@ -133,6 +133,11 @@ Defense
    Vaccination: https://twitter.com/0xAmit/status/922911491694694401
    ** Create the following files c:\windows\infpub.dat && c:\windows\cscc.dat
    ** remove ALL PERMISSIONS (inheritance) and you are now vaccinated. :)

    Carbon Black:
    * Patch for MS17-010
    * Use GPO to disable access to admin shares.
    https://social.technet.microsoft.com/Forums/windows/en-US/251f0f40-ffbf-4441-ba35-3dd1acd7a445/how-can-we-disable-the-automatic-administrative-share-by-group-policy

    Other ideas:
    * Disable WMI where feasible
  23. roycewilliams revised this gist Oct 25, 2017. 1 changed file with 6 additions and 2 deletions.
    8 changes: 6 additions & 2 deletions badrabbit-info.txt
    View file
    Original file line number Diff line number Diff line change
    @@ -64,7 +64,8 @@ Components and methods:
    Video of action:
    https://twitter.com/GossiTheDog/status/922858264534142976

    Apparently clears Windows logs and the filesystem journal, per ESET
    Apparently clears Windows logs and the filesystem journal, per ESET and Carbon Black
    Uses wevtutil cmdline

    May incorporate copy-and-pasted Microsoft cert/signing?
    https://twitter.com/gN3mes1s/status/922907460842721281
    @@ -210,9 +211,12 @@ Coverage and news
    MIT Technology Review:
    https://www.technologyreview.com/the-download/609206/a-new-strain-of-ransomware-is-hitting-eastern-europe/

    Malwarebytes (@hasherezade)
    Malwarebytes (@hasherezade):
    https://blog.malwarebytes.com/threat-analysis/2017/10/badrabbit-closer-look-new-version-petyanotpetya/

    Endgame analysis (@malwareunicorn):
    https://www.endgame.com/blog/technical-blog/badrabbit-technical-analysis

    Qualys:
    https://threatprotect.qualys.com/2017/10/24/bad-rabbit-ransomware/
    https://blog.qualys.com/news/2017/10/24/bad-rabbit-ransomware
  24. roycewilliams revised this gist Oct 25, 2017. 1 changed file with 4 additions and 0 deletions.
    4 changes: 4 additions & 0 deletions badrabbit-info.txt
    View file
    Original file line number Diff line number Diff line change
    @@ -10,6 +10,7 @@ Supporting infrastructure shut down a few hours after starting (per Beaumont, Mo

    Initial infection:

    Watering-hole attack, sourced from compromised media/news sites in selected regions.
    Poses as fake Flash update.
    https://twitter.com/jiriatvirlab/status/922835700873158661/photo/1
    https://twitter.com/darienhuss/status/922847966767042561
    @@ -181,6 +182,9 @@ Coverage and news
    Motherboard articles:
    https://motherboard.vice.com/en_us/article/59yb4q/bad-rabbit-petya-ransomware-russia-ukraine
    https://motherboard.vice.com/en_us/article/d3dp5q/infrastructure-for-the-bad-rabbit-ransomware-appears-to-have-shut-down

    Symantec:
    https://www.symantec.com/connect/blogs/badrabbit-new-strain-ransomware-hits-russia-and-ukraine

    BleepingComputer article:
    https://www.bleepingcomputer.com/news/security/bad-rabbit-ransomware-outbreak-hits-eastern-europe/
  25. roycewilliams revised this gist Oct 25, 2017. 1 changed file with 3 additions and 0 deletions.
    3 changes: 3 additions & 0 deletions badrabbit-info.txt
    View file
    Original file line number Diff line number Diff line change
    @@ -94,6 +94,9 @@ Components and methods:
    Still contains link to external debugging symbols file (.pdb) [can this be manipulated?] (@malwareunicorn):
    https://twitter.com/malwareunicorn/status/923009391770533888

    Shut down a few hours after starting:
    https://twitter.com/GossiTheDog/status/923300443962335232

    Pop-culture references contained:
    Game of Thrones dragons (Drogon, Rhaegal)
    Hackers movie (bottom of list of hard-coded passwords)
  26. roycewilliams revised this gist Oct 25, 2017. 1 changed file with 4 additions and 2 deletions.
    6 changes: 4 additions & 2 deletions badrabbit-info.txt
    View file
    Original file line number Diff line number Diff line change
    @@ -6,6 +6,7 @@ Requires user interaction.
    Mostly targeting Russia and Ukraine so far, with a few others (Germany, Turkey, Bulgaria, Montenegro ...)
    Not globally self-propagating, but could be inflicted on selected targets on purpose.
    Mitigations are similar to Petya/NotPetya resistance. An inoculation is also available (see below).
    Supporting infrastructure shut down a few hours after starting (per Beaumont, Motherboard)

    Initial infection:

    @@ -174,9 +175,10 @@ Coverage and news
    Carbon Black:
    https://www.carbonblack.com/2017/10/24/threat-advisory-analysis-bad-rabbit-ransomware/

    Motherboard article:
    Motherboard articles:
    https://motherboard.vice.com/en_us/article/59yb4q/bad-rabbit-petya-ransomware-russia-ukraine

    https://motherboard.vice.com/en_us/article/d3dp5q/infrastructure-for-the-bad-rabbit-ransomware-appears-to-have-shut-down

    BleepingComputer article:
    https://www.bleepingcomputer.com/news/security/bad-rabbit-ransomware-outbreak-hits-eastern-europe/

  27. roycewilliams revised this gist Oct 25, 2017. 1 changed file with 1 addition and 0 deletions.
    1 change: 1 addition & 0 deletions badrabbit-info.txt
    View file
    Original file line number Diff line number Diff line change
    @@ -33,6 +33,7 @@ List of targeted file extensions:
    Components and methods:

    Using legit signed DiskCryptor binary to encrypt.
    Encrypts using AES-128-CBC (per Kaspersky article)
    Creates scheduled task to reboot the target system.
    May be using EternalBlue (or at least triggers controls that are watching for its use?), Unit 42 sees no sign of this
    Incorporates stripped-down Mimikatz to discover credentials for propagation.
  28. roycewilliams revised this gist Oct 25, 2017. No changes.
  29. roycewilliams revised this gist Oct 25, 2017. 1 changed file with 3 additions and 0 deletions.
    3 changes: 3 additions & 0 deletions badrabbit-info.txt
    View file
    Original file line number Diff line number Diff line change
    @@ -170,6 +170,9 @@ Coverage and news
    Cisco/Talos:
    http://blog.talosintelligence.com/2017/10/bad-rabbit.html

    Carbon Black:
    https://www.carbonblack.com/2017/10/24/threat-advisory-analysis-bad-rabbit-ransomware/

    Motherboard article:
    https://motherboard.vice.com/en_us/article/59yb4q/bad-rabbit-petya-ransomware-russia-ukraine

  30. roycewilliams revised this gist Oct 25, 2017. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion badrabbit-info.txt
    View file
    Original file line number Diff line number Diff line change
    @@ -78,7 +78,7 @@ Components and methods:
    https://twitter.com/mrjohnkelly73/status/922899328636735488
    https://twitter.com/craiu/status/922911496497238021

    Unlike NetPetya, confirmed to be decrypt-ready:
    Unlike NotPetya, confirmed to be decrypt-ready:
    https://twitter.com/antonivanovm/status/922944062935707648 (Kaspersky)

    13% code reuse of notpeyta