Threat Intelligence Blog

Posted November 9, 2017

In the past few weeks, a new strain of self-propagating ransomware dubbed BadRabbit emerged via infected media and government websites, primarily located in Russia and the Ukraine. This strain of malware is being closely compared to WannaCry and NotPetya for how it’s infected and impacted organizations.

BadRabbit is delivered via drive-by download from sites infected with malicious JavaScript. The malicious script harvests user data, including device type and location, sends it back to the attacker, and then presents a pop-up window disguised as a Flash Player Update Installer. When the user clicks to install the update, the malware dropper is installed instead.

Down the BadRabbit Hole: Ransomware Delivered by Fake Flash Updates

Fig. 1: Pop-up window for Adobe Flash Player Update

With ransomware continuing to dominate security news in 2017, organizations need to arm themselves with as much knowledge as they can to prevent falling victim to attacks.

Drop It Like It’s Hot

Once dropped onto the victim’s computer, BadRabbit encrypts the host’s files and presents a message with instructions on how to pay the ransom.  This message is visually similar to the message associated with NotPetya.

Down the BadRabbit Hole text 2

Fig. 2: Encryption message

You Have to Pay to Play

As common with most ransomware attacks these days, BadRabbit requests payment in bitcoin, specifically 0.05 BTC or $285 USD.  All the user has to do is get some bitcoin and visit the attacker’s “onion” website on the DarkNet to pay the ransom.

It’s Engineered to Spread Throughout Your Network

BadRabbit is not content with sticking to the original infected host. Instead, it leverages SMB communications to search for other hosts on the network. This means once the ransomware is on your network, it can spread to other devices.

Down the BadRabbit Hole text 3

Fig. 3: SMB Access

How Does Game of Thrones Fit In?

One of the more unique aspects of BadRabbit is that the malware contains at least three references to dragons from the Game of Thrones: Viserion, Drogan, and Rhaegal. The “product name” of the malware is GrayWorm, a character featured in the series. LookingGlass’ threat operations team isn’t reading too much into this aside from the attacker being a fan of the popular series Game of Thrones.

Fig. 4: Game of Thrones Reference

Fig. 4: Game of Thrones Reference

Avoiding the Rabbit Hole

Preventing your networks from becoming infected by ransomware starts with cyber safety awareness training for both employees and vendors. Organizations should also consider automated defenses that can identify and immediately block known bad before it enters your walls.

Some more general mitigation approaches you should take include:

  • Disable pop-up windows in browsers.
  • Update anti-virus signatures.
  • Maintain regular back-ups of data.

Specific to Bad Rabbit, organizations should block the following domains and file hashes:

  • Domains
    • hxxp://
    • hxxp://
    • hxxp://caforssztxqzf2nm.onion
  • File Hashes
    • fbbdc39af1139aebba4da004475e8839
    • 1d724f95c61f1055f0d02c2154bbccd3
    • b14d8faf7f0cbcfad051cefe5f39645f
    • B4E6D97DAFD9224ED9A547D52C26CE02

Additional Posts

LookingGlass Cyber Solutions Ranked Number 105 Fastest Growing Company in North America on Deloitte’s 2017 Technology Fast 500™

LookingGlass® Cyber Solutions, a leader in threat intelligence-driven security, today ...

Moving Beyond Threat Hunting to Actively Counter Threats

For those of you building proactive cybersecurity programs, this blog will cover some tips that I ...