Bad Rabbit
Bad Rabbit is a self-propagating ransomware that affected the Ukrainian transportation sector in 2017. Bad Rabbit has also targeted organizations and consumers in Russia. [1][2][3]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1548 | .002 | Abuse Elevation Control Mechanism: Bypass User Account Control |
Bad Rabbit has attempted to bypass UAC and gain elevated administrative privileges.[1] |
| Enterprise | T1110 | .003 | Brute Force: Password Spraying |
Bad Rabbit’s |
| Enterprise | T1486 | Data Encrypted for Impact |
Bad Rabbit has encrypted files and disks using AES-128-CBC and RSA-2048.[1] |
|
| Enterprise | T1189 | Drive-by Compromise |
Bad Rabbit spread through watering holes on popular sites by injecting JavaScript into the HTML body or a |
|
| Enterprise | T1210 | Exploitation of Remote Services |
Bad Rabbit used the EternalRomance SMB exploit to spread through victim networks.[1] |
|
| Enterprise | T1495 | Firmware Corruption |
Bad Rabbit has used an executable that installs a modified bootloader to prevent normal boot-up.[1] |
|
| Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
Bad Rabbit has masqueraded as a Flash Player installer through the executable file |
| Enterprise | T1106 | Native API |
Bad Rabbit has used various Windows API calls.[2] |
|
| Enterprise | T1135 | Network Share Discovery |
Bad Rabbit enumerates open SMB shares on internal victim networks.[2] |
|
| Enterprise | T1003 | .001 | OS Credential Dumping: LSASS Memory |
Bad Rabbit has used Mimikatz to harvest credentials from the victim's machine.[2] |
| Enterprise | T1057 | Process Discovery |
Bad Rabbit can enumerate all running processes to compare hashes.[1] |
|
| Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
Bad Rabbit’s |
| Enterprise | T1218 | .011 | System Binary Proxy Execution: Rundll32 |
Bad Rabbit has used rundll32 to launch a malicious DLL as |
| Enterprise | T1569 | .002 | System Services: Service Execution |
Bad Rabbit drops a file named |
| Enterprise | T1204 | .002 | User Execution: Malicious File |
Bad Rabbit has been executed through user installation of an executable disguised as a flash installer.[2][1] |
| ICS | T0817 | Drive-by Compromise |
Bad Rabbit ransomware spreads through drive-by attacks where insecure websites are compromised. While the target is visiting a legitimate website, a malware dropper is being downloaded from the threat actors infrastructure. [4] |
|
| ICS | T0866 | Exploitation of Remote Services |
Bad Rabbit initially infected IT networks, but by means of an exploit (particularly the SMBv1-targeting MS17-010 vulnerability) spread to industrial networks. [5] |
|
| ICS | T0867 | Lateral Tool Transfer |
Bad Rabbit can move laterally through industrial networks by means of the SMB service. [5] |
|
| ICS | T0828 | Loss of Productivity and Revenue |
Several transportation organizations in Ukraine have suffered from being infected by Bad Rabbit, resulting in some computers becoming encrypted, according to media reports. [6] |
|
| ICS | T0863 | User Execution |
Bad Rabbit is disguised as an Adobe Flash installer. When the file is opened it starts locking the infected computer. [4] |
|
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0034 | Sandworm Team |
References
- Mamedov, O. Sinitsyn, F. Ivanov, A.. (2017, October 24). Bad Rabbit ransomware. Retrieved January 28, 2021.
- M.Léveille, M-E.. (2017, October 24). Bad Rabbit: Not‑Petya is back with improved ransomware. Retrieved January 28, 2021.
- Slowik, J.. (2019, April 10). Implications of IT Ransomware for ICS Environments. Retrieved January 28, 2021.
- Orkhan Mamedov, Fedor Sinitsyn, Anton Ivanov 2017, October 27 Bad Rabbit Ransomware Retrieved. 2019/10/27