Wontok Lab Tests and Removes Ransomware BadRabbit

Wontok SafeCentral Malware Bulletin

27 October 2017

Malware Family: Ransom.BadRabbit

Ransom.BadRabbit is a ransomware that currently targets critical infrastructure and high profile entities. With reported scenarios in the Ukraine and Russia. Preliminary analysis reveals that this new strain of ransomware is bundled with several open source tools that are leveraged for data encryption and lateral movement.

Wontok Lab Results

We observed that Wontok SafeCentral Security Suites advanced cloud technology on-access engines properly detect and remediate the malware. Preventing the installation and spread of this payload.

Observations

Ransom.BadRabbit infection process starts with a fake Adobe Flash installer that is downloaded from compromised websites. This fake Flash installer holds the ransomware payload. Once decrypted, it drops and executes the code. The actual ransomware payload holds no less than six different tools that are used for the encryption purposes, as well as for spreading the code across other devices.

Bad Rabbit is like GoldenEye / NotPetya Ransomware strains. It is highly viral due to its implementation of Mimikatz which lets it move from one infected workstation to another. It also features disk encryption via the DiskCryptor driver, allowing it to interfere with the normal boot process and prevent the computer from starting up. This ransomware component references Game of Thrones characters within the code, it also has a process hashing routine extremely like what GoldenEye used to verify what security solutions were installed locally prior to encrypting the Master Boot Records (MBR).

About Wontok Lab

Wontok Lab is Wontok’s product test facility that consists of a team of security researchers in a controlled analysis and testing environment. Wontok Lab conducts rigorous tests specifically designed and tailored for each of Wontok’s security products.

About Wontok SafeCentral Security Solutions

Founded in 2005 and headquartered in Sydney, Wontok has operations in Australia, Asia and the United States, Wontok brings proven remote access and endpoint security solutions to market. Wontok designed the SafeCentral solutions to be effective against advanced malware threats on the desktop and mobile devices. SafeCentral Security Solutions includes SafeDesktop, Mobile Security, and Security Suite, all of which can be delivered via partner owned platforms or via the Wontok ONE Cloud-based VAS service delivery platform.

 

Posted in Articles, Malware Bulletins and tagged , , , , , , , , , , , , , .