Bad Rabbit
Bad Rabbit is a self-propagating ransomware that affected the Ukrainian transportation sector in 2017. Bad Rabbit has also targeted organizations and consumers in Russia. [1][2][3]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1036 | .005 | 伪装: Match Legitimate Name or Location |
Bad Rabbit has masqueraded as a Flash Player installer through the executable file |
| Enterprise | T1495 | 固件篡改 |
Bad Rabbit has used an executable that installs a modified bootloader to prevent normal boot-up.[1] |
|
| Enterprise | T1003 | .001 | 操作系统凭证转储: LSASS Memory |
Bad Rabbit has used Mimikatz to harvest credentials from the victim's machine.[2] |
| Enterprise | T1486 | 数据加密以实现影响 |
Bad Rabbit has encrypted files and disks using AES-128-CBC and RSA-2048.[1] |
|
| Enterprise | T1110 | .003 | 暴力破解: Password Spraying |
Bad Rabbit’s |
| Enterprise | T1106 | 本机API |
Bad Rabbit has used various Windows API calls.[2] |
|
| Enterprise | T1189 | 浏览器攻击 |
Bad Rabbit spread through watering holes on popular sites by injecting JavaScript into the HTML body or a |
|
| Enterprise | T1548 | .002 | 滥用权限提升控制机制: Bypass User Account Control |
Bad Rabbit has attempted to bypass UAC and gain elevated administrative privileges.[1] |
| Enterprise | T1204 | .002 | 用户执行: Malicious File |
Bad Rabbit has been executed through user installation of an executable disguised as a flash installer.[2][1] |
| Enterprise | T1218 | .011 | 系统二进制代理执行: Rundll32 |
Bad Rabbit has used rundll32 to launch a malicious DLL as |
| Enterprise | T1569 | .002 | 系统服务: Service Execution |
Bad Rabbit drops a file named |
| Enterprise | T1135 | 网络共享发现 |
Bad Rabbit enumerates open SMB shares on internal victim networks.[2] |
|
| Enterprise | T1057 | 进程发现 |
Bad Rabbit can enumerate all running processes to compare hashes.[1] |
|
| Enterprise | T1210 | 远程服务漏洞利用 |
Bad Rabbit used the EternalRomance SMB exploit to spread through victim networks.[1] |
|
| Enterprise | T1053 | .005 | 预定任务/作业: Scheduled Task |
Bad Rabbit’s |
| ICS | T0817 | Drive-by Compromise |
Bad Rabbit ransomware spreads through drive-by attacks where insecure websites are compromised. While the target is visiting a legitimate website, a malware dropper is being downloaded from the threat actors infrastructure. [4] |
|
| ICS | T0866 | Exploitation of Remote Services |
Bad Rabbit initially infected IT networks, but by means of an exploit (particularly the SMBv1-targeting MS17-010 vulnerability) spread to industrial networks. [5] |
|
| ICS | T0867 | Lateral Tool Transfer |
Bad Rabbit can move laterally through industrial networks by means of the SMB service. [5] |
|
| ICS | T0828 | Loss of Productivity and Revenue |
Several transportation organizations in Ukraine have suffered from being infected by Bad Rabbit, resulting in some computers becoming encrypted, according to media reports. [2] |
|
| ICS | T0863 | User Execution |
Bad Rabbit is disguised as an Adobe Flash installer. When the file is opened it starts locking the infected computer. [4] |
|
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0034 | Sandworm Team |
References
- Mamedov, O. Sinitsyn, F. Ivanov, A.. (2017, October 24). Bad Rabbit ransomware. Retrieved January 28, 2021.
- M.Léveille, M-E.. (2017, October 24). Bad Rabbit: Not‑Petya is back with improved ransomware. Retrieved January 28, 2021.
- Joe Slowik. (2019, April 10). Implications of IT Ransomware for ICS Environments. Retrieved October 27, 2019.