Varonis debuts trailblazing features for securing Salesforce. Learn More

Introducing Athena AI our new generative AI layer for the Varonis Data Security Platform.

Learn more

Bad Rabbit Ransomware

3 min read
Last updated July 7, 2023

What is Bad Rabbit ransomware?

Bad Rabbit is ransomware belonging to the Petya family of ransomware that hit over 200 organizations throughout Eastern Europe in October of 2017. Targets were primarily Russian media agencies however various corporate networks throughout Russia, Eastern Europe, and Japan were hit due to the method that ransomware used to spread through networks.

Bad Rabbit was spread through a drive-by attack where compromised websites spread a fake Adobe Flash update which, once run, would encrypt system files with RSA 2048 bit keys and demand .05 Bitcoin.

Discover your weak points and strengthen your resilience: Run a Free Ransomware Readiness Test

Who created Bad Rabbit?

The Bad Rabbit ransomware is not currently attributed to any threat group. However, the code and list of domains used for the drive-by attack share enough similarities with NotPetya (also referred to as ExPetr or Nyetya) to lead researchers to believe the same group is responsible for both. NotPetya has links to BlackEnergy and Sandworm Team yet those teams are Russian and Bad Rabbit is primarily targeting Russia which complicates attribution. Some researchers and commentators have proposed Bad Rabbit was a state-funded group targeting dissonant media organizations. However, other than the primary watering hole websites being media related there is no conclusive evidence to support that suggestion.

What systems are vulnerable to Bad Rabbit?

Only unpatched Windows 7 and later Windows operating systems are affected by Bad Rabbit. Initial reports indicated the ransomware did not use any NSA-developed exploits. However, follow-up research by Cisco's Talos Security Intelligence showed Bad Rabbit did in fact use the EternalRomance exploit CVE-2017-0145 to bypass Windows Server Message Block (SMB) file-sharing security and enable remote code execution on Windows systems. That is the same exploit leaked by the Shadow Brokers in April and used by NotPetya in June.

Bad Rabbit Timeline

  1. March 2016 Petya First Spotted
  2. April 2017 Shadow Brokers Leak EternalRomance
  3. June 2017 NotPetya First Spotted
  4. Oct 12th Ukraine’s SBU Warns of imminent attack similar to the NotPetya
  5. Oct 24th 2017 BadRabbit First Spotted

How is Bad Rabbit spread?

The initial attack vectors for Bad Rabbit were compromised Russian media sites. The attackers uploaded fake Adobe Flash Player installers to these websites, which once downloaded and run manually by a user would initiate the Bad Rabbit ransomware.

The compromised websites hosted a redirect to 1dnscontrol[.]com for 6 hours. Once redirected a post request was sent to 185.149.120[.]3 providing the attackers with the user agent and other identifying information. From there the dropper was downloaded from two sources: 1dnscontrol[.]com/index.php and /flash_install.php.

Once a user runs the malicious Adobe Flash Player Executable, Bad Rabbit scans for SMB shares which it then brute forces with a hard-coded list of common credentials. Mimikatz post-exploitation tools are also used to harvest usernames and passwords and gain access to yet more SMB shares.

From there Bad Rabbit would attempt to exploit Windows Management Instrumentation Command-line (WMIC) in order to execute code on networked Windows systems.

Lastly, it uses an EternalRomance implementation, very similar to this publicly available python one, to read and write arbitrary data in the kernel memory space overwriting the session security. Then Bad Rabbit would use the access to run full disk encryption with DiskCryptor an open-source encryption application.

Indicators of Compromise

Bad Rabbit Ransomware Note

Oops! Your files have been encrypted.

If you see this text, your files are no longer accessible. You might have been looking for a way to recover your files. Don't waste your time. Ho one will be able to recover them without our decryption service.

We guarantee that you can recover all your files safely. All you need to do is submit the payment and get the decryption password.

Visit our web service at caforssztxqzf2nm.onion
Your personal installation key#1:

If you have already got the password, please enter it below.

Known Compromised Websites

The following sites were hacked and visitors to them were forced to download the Bad Rabbit installer.

  • hxxp://www.fontanka[.]ru
  • hxxp://www.otbrana[.]com
  • hxxp://grupovo[.]bg
  • hxxp://[.]ua
  • hxxp://spbvoditel[.]ru
  • hxxp://blog.fontanka[.]ru
  • hxxp://www.pensionhotel[.]cz
  • hxxp://www.sinematurk[.]com
  • hxxp://most-dnepr[.]info
  • hxxp://www.imer[.]ro
  • hxxp://calendar.fontanka[.]ru
  • hxxp://an-crimea[.]ru
  • hxxp://www.online812[.]ru
  • hxxp://[.]jp
  • hxxp://www.mediaport[.]ua
  • hxxp://ankerch-crimea[.]ru
  • hxxp://novayagazeta.spb[.]ru
  • hxxp://[.]ua
  • hxxp://www.grupovo[.]bg
  • hxxp://argumenti[.]ru
  • hxxp://bg.pensionhotel[.]com
  • hxxp://argumentiru[.]com
  • hxxp://www.t.ks[.]ua

Command and Control Domains

  • http://caforssztxqzf2nm[.]onion
  • http://185.149.120[.]3/scholargoogle/
  • hxxp://1dnscontrol[.]com/flash_install.php

Extensions Targeted for Encryption by Bad Rabbit

.3ds .7z .accdb .ai .asm .asp .aspx .avhd .back .bak .bmp .brw .c .cab .cc .cer .cfg .conf .cpp .crt .cs .ctl .cxx .dbf .der .dib .disk .djvu .doc .docx .dwg .eml .fdb .gz .h .hdd .hpp .hxx .iso .java .jfif .jpe .jpeg .jpg .js .kdbx .key .mail .mdb .msg .nrg .odc .odf .odg .odi .odm .odp .ods .odt .ora .ost .ova .ovf .p12 .p7b .p7c .pdf .pem .pfx .php .pmf .png .ppt .pptx .ps1 .pst .pvi .py .pyc .pyw .qcow .qcow2 .rar .rb .rtf .scm .sln .sql .tar .tib .tif .tiff .vb .vbox .vbs .vcb .vdi .vfd .vhd .vhdx .vmc .vmdk .vmsd .vmtm .vmx .vsdx .vsv .work .xls .xlsx .xml .xvd .zip

SHA 256 Hash of files

  • 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

Payload Files SHA 256 Hashes

  • 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648
  • 0b2f863f4119dc88a22cc97c0a136c88a0127cb026751303b045f7322a8972f6
  • 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93
  • 301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c
  • 2f8c54f9fa8e47596a3beff0031f85360e56840c77f71c6a573ace6f46412035

What you should do now

Below are three ways we can help you begin your journey to reducing data risk at your company:

  1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
  2. Download our free report and learn the risks associated with SaaS data exposure.
  3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.
Try Varonis free.
Get a detailed data risk report based on your company’s data.
Deploys in minutes.
Keep reading
Speed Data: The Commoditization of Cybercrime With Matt Radolec
Matt Radolec at Varonis discusses the future of cybersecurity, the rise of ransomware-as-a-service (RaaS), and what security risks keep him up at night.
Four Must-Know Cyber Tips for Your Business
The real story behind today’s breaches is never about an isolated bad decision—it’s about the many decisions made long before a sleepy network administrator gets a call from an attacker.
Ryuk Ransomware: Breakdown and Prevention Tips
Ryuk ransomware targets large organizations and spreads with deadly speed. Learn about the strain and how to prevent your company from becoming a victim.
Why Every Cybersecurity Leader Should ‘Assume Breach’
Any system, account or person at any time can be a potential attack vector. With such a vast attack surface, you need to assume attackers will breach at least one vector.