A large scale ransomware campaign dubbed "bad rabbit" is reported spreading. Initial information indicates genuine sites were compromised (watering hole style attack) and that directed victims to a fake Flash update that downloaded the malicious Bad Rabbit executable. User action is required for the dropper (630325cac09 ac3fab908f 903e3b00d0 dadd5fdaa0 875ed8496f cbb97a558d0da) to start the infection, which contains the BAD RABBIT ransomware component. Bad Rabbit ransomware uses DiskCryptor, an open source full drive encryption software, to encrypt files on infected computers with RSA 2048 keys. The ransomware targets MBR also rendering the system unusable. The malware is capable to laterally move via open SMB shares, with hardcoded list of credentials to drop malware, and also uses Mimikatz post-exploitation tool to dump credentials from the affected systems. Indicators of Compromise (IoC) 1dnscontrol[.]com/index.php - fake Flash download URI 1dnscontrol[.]com/flash_install.php - fake Flash download URI 185[.]149[.]120[.]3/scholargoogle/ - URI called out to from watering hole sites caforssztxqzf2nm.onion Watering hole sites: Fontanka[.]ru - Referrer to 1dnscontrol[.]com Adblibri[.]ro - Referrer to 1dnscontrol[.]com Spbvoditel[.]ru - Referrer to 1dnscontrol[.]com Grupovo[.]bg - Referrer to 1dnscontrol[.]com sinematurk[.]com - Referrer to 1dnscontrol[.]com argumenti[.]ru - Referrer to 1dnscontrol[.]com Hashes 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da - fake flash installer 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93 - C:\Windows\dispci.exe associated with DiskCryptor 682ADCB55FE4649F7B22505A54A9DBC454B4090FC2BB84AF7DB5B0908F3B7806 - C:\Windows\cscc.dat (x32 diskcryptor drv) associated with DiskCryptor 0b2f863f4119dc88a22cc97c0a136c88a0127cb026751303b045f7322a8972f6 - associated with DiskCryptor 579FD8A0385482FB4C789561A30B09F25671E86422F40EF5CCA2036B28F99648 - C:\Windows\infpub.dat [malicious DLL with some similarities to Nyetya] 2f8c54f9fa8e47596a3beff0031f85360e56840c77f71c6a573ace6f46412035 - Mimikatz x86 301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c - Mimikatz x64 Scheduled Tasks names viserion_ rhaegal drogon Mitigation/Countermeasures Block the execution of files c:\windows\infpub.dat and c:\Windows\cscc.dat. Secure use of WMI by authorizing WMI users and setting permissions / Disable or limit remote WMI and file sharing. Configure access controls, including file, directory, and network share permissions with the principle of least privilege in mind. Block remote execution through PSEXEC. Enable Anti-ransomware folder protection feature added in Windows 10 v1709https://blogs.technet.microsoft.com/mmpc/2017/10/23/stopping-ransomware-where-it-counts-protecting-your-data-with-controlled-folder-access/ Consider deploying Microsoft LAPS[Local Administrator Password Solution]" which ensures that each domain-joined host in an organisation has unique Local Administrator credentials, preventing ransomware from using the extracted credentials to spread laterallyhttps://technet.microsoft.com/en-us/mt227395.aspx Limit lateral communication with necessary host-based firewall rules. Disable SMBv1 and block all versions of SMB at the network boundary by blocking TCP port 445 with related protocols on UDP ports 137-138 and TCP port 139; this applies to all boundary devices. Check for unusual scheduled tasks Restrict execution of powershell /WSCRIPT in enterprise environment Ensure installation and use of the latest version (currently v5.0) of PowerShell, with enhanced logging enabled. script block logging, and transcription enabled. Send the associated logs to a centralized log repository for monitoring and analysis. Perform regular backups of all critical information to limit the impact of data or system loss and to help expedite the recovery process. Ideally, this data should be kept on a separate device, and backups should be stored offline. Establish a Sender Policy Framework (SPF),Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) for your domain, which is an email validation system designed to prevent spam by detecting email spoofing by which most of the ransomware samples successfully reaches the corporate email boxes Consider installing Enhanced Mitigation Experience Toolkit, or similar host-level anti-exploitation tools. Follow safe practices when browsing the web. Ensure the web browsers are secured enough with appropriate content controls. Consider Click to enable features. Network segmentation and segregation into security zones - help protect sensitive information and critical services. Separate administrative network from business processes with physical controls and Virtual Local Area Networks. Disable remote Desktop Connections, employ least-privileged accounts. Always Update software from the relevant vendor sites. Enforce application whitelisting on all endpoint workstations. This willprevent droppers or unauthorized software from gaining execution onendpoints Sources : CERT-In Cyber Swachhta Kendra