Yesterday, Russia and Ukraine have been targeted by the
Bad Rabbit Ransomware, distributed via drive by.
The sample named
install_flash_player.exe, sha256 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da has some very strong similarities to
NotPetya, the ransomware spreading via EternalBlue SMB exploit in June.
There are many behaviors based similarities, such as started processes:
|
NotPetya |
|
Bad Rabbit |
But there are also many code based similarities. Multiple companies already blogged about the differences (
1,
2), however, what we found very interesting is also that the ransomware kept the kill switch. Not the one which was domain based and activated by
@Malwaretech for NotPetya but rather the local machine based,
which once set prevents infection. If one looks at function
807E8E we can see that Bad Rabbit checks for the file
C:\Windows\cscc.dat. If it exists the process will exit:
So, to get protected just create the file
C:\Windows\cscc.dat and you are good!
Full analysis + sample available at
Joe Sandbox Cloud Basic.