Varonis announces strategic partnership with Microsoft to accelerate the secure adoption of Copilot.

Learn more

Bad Rabbit Ransomware

Bad Rabbit is a ransomware strain that spread via hacked websites, infected systems via a fake Adobe installer and held encrypted files for Bitcoin.
Michael Raymond
3 min read
Published May 6, 2022
Last updated July 7, 2023

What is Bad Rabbit ransomware?

Bad Rabbit is ransomware belonging to the Petya family of ransomware that hit over 200 organizations throughout Eastern Europe in October of 2017. Targets were primarily Russian media agencies however various corporate networks throughout Russia, Eastern Europe, and Japan were hit due to the method that ransomware used to spread through networks.

Bad Rabbit was spread through a drive-by attack where compromised websites spread a fake Adobe Flash update which, once run, would encrypt system files with RSA 2048 bit keys and demand .05 Bitcoin.

Discover your weak points and strengthen your resilience: Run a Free Ransomware Readiness Test

Who created Bad Rabbit?

The Bad Rabbit ransomware is not currently attributed to any threat group. However, the code and list of domains used for the drive-by attack share enough similarities with NotPetya (also referred to as ExPetr or Nyetya) to lead researchers to believe the same group is responsible for both. NotPetya has links to BlackEnergy and Sandworm Team yet those teams are Russian and Bad Rabbit is primarily targeting Russia which complicates attribution. Some researchers and commentators have proposed Bad Rabbit was a state-funded group targeting dissonant media organizations. However, other than the primary watering hole websites being media related there is no conclusive evidence to support that suggestion.

What systems are vulnerable to Bad Rabbit?

Only unpatched Windows 7 and later Windows operating systems are affected by Bad Rabbit. Initial reports indicated the ransomware did not use any NSA-developed exploits. However, follow-up research by Cisco's Talos Security Intelligence showed Bad Rabbit did in fact use the EternalRomance exploit CVE-2017-0145 to bypass Windows Server Message Block (SMB) file-sharing security and enable remote code execution on Windows systems. That is the same exploit leaked by the Shadow Brokers in April and used by NotPetya in June.

Bad Rabbit Timeline

  1. March 2016 Petya First Spotted
  2. April 2017 Shadow Brokers Leak EternalRomance
  3. June 2017 NotPetya First Spotted
  4. Oct 12th Ukraine’s SBU Warns of imminent attack similar to the NotPetya
  5. Oct 24th 2017 BadRabbit First Spotted

How is Bad Rabbit spread?

The initial attack vectors for Bad Rabbit were compromised Russian media sites. The attackers uploaded fake Adobe Flash Player installers to these websites, which once downloaded and run manually by a user would initiate the Bad Rabbit ransomware.

The compromised websites hosted a redirect to 1dnscontrol[.]com for 6 hours. Once redirected a post request was sent to 185.149.120[.]3 providing the attackers with the user agent and other identifying information. From there the dropper was downloaded from two sources: 1dnscontrol[.]com/index.php and /flash_install.php.

Once a user runs the malicious Adobe Flash Player Executable, Bad Rabbit scans for SMB shares which it then brute forces with a hard-coded list of common credentials. Mimikatz post-exploitation tools are also used to harvest usernames and passwords and gain access to yet more SMB shares.

From there Bad Rabbit would attempt to exploit Windows Management Instrumentation Command-line (WMIC) in order to execute code on networked Windows systems.

Lastly, it uses an EternalRomance implementation, very similar to this publicly available python one, to read and write arbitrary data in the kernel memory space overwriting the session security. Then Bad Rabbit would use the access to run full disk encryption with DiskCryptor an open-source encryption application.

Indicators of Compromise

Bad Rabbit Ransomware Note



Oops! Your files have been encrypted.

If you see this text, your files are no longer accessible. You might have been looking for a way to recover your files. Don't waste your time. Ho one will be able to recover them without our decryption service.

We guarantee that you can recover all your files safely. All you need to do is submit the payment and get the decryption password.

Visit our web service at caforssztxqzf2nm.onion
Your personal installation key#1:



If you have already got the password, please enter it below.
Password#1:

Known Compromised Websites

The following sites were hacked and visitors to them were forced to download the Bad Rabbit installer.

  • hxxp://www.fontanka[.]ru
  • hxxp://www.otbrana[.]com
  • hxxp://grupovo[.]bg
  • hxxp://i24.com[.]ua
  • hxxp://spbvoditel[.]ru
  • hxxp://blog.fontanka[.]ru
  • hxxp://www.pensionhotel[.]cz
  • hxxp://www.sinematurk[.]com
  • hxxp://most-dnepr[.]info
  • hxxp://www.imer[.]ro
  • hxxp://calendar.fontanka[.]ru
  • hxxp://an-crimea[.]ru
  • hxxp://www.online812[.]ru
  • hxxp://www.aica.co[.]jp
  • hxxp://www.mediaport[.]ua
  • hxxp://ankerch-crimea[.]ru
  • hxxp://novayagazeta.spb[.]ru
  • hxxp://osvitaportal.com[.]ua
  • hxxp://www.grupovo[.]bg
  • hxxp://argumenti[.]ru
  • hxxp://bg.pensionhotel[.]com
  • hxxp://argumentiru[.]com
  • hxxp://www.t.ks[.]ua

Command and Control Domains

  • http://caforssztxqzf2nm[.]onion
  • http://185.149.120[.]3/scholargoogle/
  • hxxp://1dnscontrol[.]com/flash_install.php

Extensions Targeted for Encryption by Bad Rabbit

.3ds .7z .accdb .ai .asm .asp .aspx .avhd .back .bak .bmp .brw .c .cab .cc .cer .cfg .conf .cpp .crt .cs .ctl .cxx .dbf .der .dib .disk .djvu .doc .docx .dwg .eml .fdb .gz .h .hdd .hpp .hxx .iso .java .jfif .jpe .jpeg .jpg .js .kdbx .key .mail .mdb .msg .nrg .odc .odf .odg .odi .odm .odp .ods .odt .ora .ost .ova .ovf .p12 .p7b .p7c .pdf .pem .pfx .php .pmf .png .ppt .pptx .ps1 .pst .pvi .py .pyc .pyw .qcow .qcow2 .rar .rb .rtf .scm .sln .sql .tar .tib .tif .tiff .vb .vbox .vbs .vcb .vdi .vfd .vhd .vhdx .vmc .vmdk .vmsd .vmtm .vmx .vsdx .vsv .work .xls .xlsx .xml .xvd .zip

SHA 256 Hash of files

  • 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

Payload Files SHA 256 Hashes

  • 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648
  • 0b2f863f4119dc88a22cc97c0a136c88a0127cb026751303b045f7322a8972f6
  • 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93
  • 301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c
  • 2f8c54f9fa8e47596a3beff0031f85360e56840c77f71c6a573ace6f46412035

What you should do now

Below are three ways we can help you begin your journey to reducing data risk at your company:

  1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
  2. Download our free report and learn the risks associated with SaaS data exposure.
  3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

taking-microsoft-office-by-
Taking Microsoft Office by "Storm"
The “Storm-0978” ransomware group is actively exploiting an unpatched Microsoft Office and Windows HTML remote code execution vulnerability.
hive-ransomware-analysis
Hive Ransomware Analysis
Learn how Hive ransomware exploits public servers, spreads through your network, encrypts sensitive files, and exports victims for cryptocurrency.
blackcat-ransomware-(alphv)
BlackCat Ransomware (ALPHV)
Varonis has observed the ALPHV (BlackCat) ransomware, actively recruiting new affiliates and targeting organizations across multiple sectors worldwide.
anatomy-of-a-solidbit-ransomware-attack
Anatomy of a SolidBit Ransomware Attack
Solidbit is a ransomware variant derived from Yashma and containing elements of LockBit. Discover how Solidbit's capabilities, execution, what file types it targets, and how to tell if you're been infected.