Wednesday, October 25, 2017

NotPetya reappears as BadRabbit and keeps the Semi Kill Switch



Yesterday, Russia and Ukraine have been targeted by the Bad Rabbit Ransomware, distributed via drive by.

The sample named install_flash_player.exe, sha256 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da has some very strong similarities to NotPetya, the ransomware spreading via EternalBlue SMB exploit in June.

There are many behaviors based similarities, such as started processes:

NotPetya

Bad Rabbit

But there are also many code based similarities. Multiple companies already blogged about the differences (1,2), however, what we found very interesting is also that the ransomware kept the kill switch. Not the one which was domain based and activated by @Malwaretech for NotPetya but rather the local machine based, which once set prevents infection. If one looks at function 807E8E we can see that Bad Rabbit checks for the file C:\Windows\cscc.dat. If it exists the process will exit:







So, to get protected just create the file C:\Windows\cscc.dat and you are good!

Full analysis + sample available at Joe Sandbox Cloud Basic.