Bad Rabbit

Bad Rabbit is a notorious malware that emerged in October 2017, primarily targeting corporate networks. It operates as ransomware, encrypting the victim's files and disk while offering a means of decryption for a ransom. The malicious software uses fake Adobe Flash installer advertisements to lure victims, exploiting the EternalBlue vulnerability and encrypting the Master Boot Record (MBR) similar to Petya, another infamous malware. Unlike ExPetr, however, Bad Rabbit was not designed as a wiper, meaning it does not aim to permanently delete or make data unrecoverable. Code analysis revealed notable similarities between ExPetr and Bad Rabbit binaries, indicating a potential link in their development or operation. The Cybereason Nocturnus Team was at the forefront of countermeasures against this cyber threat, releasing the first vaccination for the 2017 NotPetya and Bad Rabbit cyberattacks. This proactive response provided a critical defense mechanism to help mitigate the impact of these attacks. In the case of Bad Rabbit, the malware algorithm suggests that the threat actors possess the technical capability to decrypt the password necessary for disk decryption, further emphasizing the importance of such defensive measures. Bad Rabbit has been linked to several other ransomware variants, including GandCrab, LockBit 2.0, and STOP/DJVU, as well as multiple malware samples like BankBot, Dreambot, Godzilla, Gozi ISFB, Nymaim, Pony Loader, Privateloader, and SmokeLoader. The threat actor also employs fast flux on infected computers in regions such as Asia, Africa, and the Middle East, which makes blocking content difficult due to constantly changing IP addresses. These associations and tactics underscore the broad reach and evolving complexity of the Bad Rabbit malware.