badrabbit

[Content by Gemini 2.5]

Ransomware Threat Report: BadRabbit (Extension .junk)

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: BadRabbit appends the static extension .junk to every file it encrypts (e.g., /report_Q3.xlsx becomes /report_Q3.xlsx.junk).
  • Renaming Convention: No additional tags, prefixes, or site-IDs are inserted—just the single .junk suffix. Directory and sub-directory structure is left intact so users can still “see” where their files once were.

2. Detection & Outbreak Timeline

  • Approximate Period: Mid-morning (UTC) 24 October 2017 triggered a sudden spike across Eastern Europe (especially Russia and Ukraine). Other European countries saw lower-volume infections later the same day. The propagation wave subsided once the consolidated C2 servers were sink-holed, but dormant copies continued to surface through secondary-drive infections for several weeks.

3. Primary Attack Vectors

  • Drive-By Downloads via Fake Flash Updates
    Visitors to legitimate but compromised websites (mostly media sites in Russia and Ukraine) were served a pop-up claiming “Flash Player Update – Click to install”. The dropper was install_flash_player.exe, signed with a stolen Authenticode certificate: LLC SPC “System Produkt”.
  • EternalRomance / SMB Exploit Chain (2017-0143, 2017-0144)
    After lateral foothold inside the LAN, the dropper enumerates SMB shares. BadRabbit contains a modified version of the DoublePulsar/ETERNALROMANCE exploit kit to propagate without credentials.
  • Mimikatz + Scheduled Tasks
    Credentials harvested by mimilib.dll (shipped within the dropper) feed rundll32.exe to create scheduled tasks (rhaegal.job, drogon.pny) on remote machines.
  • Hard-Coded Weak Credentials Dictionary
    For systems not yet patched against ETERNALROMANCE or living in segmented VLANs, BadRabbit brute-forces with 26 built-in username / password pairs (e.g., admin:admin, guest:12345, etc.).

Remediation & Recovery Strategies:

1. Prevention

  • Block or restrict inbound SMB (TCP 445, 139) at the perimeter—disable SMBv1 if feasible.
  • Deploy Microsoft patches MS17-010, MS17-014 (EternalBlue & friends).
  • Deploy Application whitelisting (AppLocker / Windows Defender Application Control). BadRabbit’s dropper resides at %WINDIR%\infpub.dat; disallow execution of unsigned PE files from %WINDIR%\ and %TEMP%.
  • E-Mail/web filtering rules to drop MIME-type files ending in .exe masquerading as Adobe “Flash” updates, especially if signed by LLC SPC “System Produkt”.
  • Least-Privilege + tiered admin model to hinder Mimikatz credential theft and lateral movement.

2. Removal (Step-by-Step)

  1. Network Isolation – Disconnect the affected host(s) from LAN/Wi-Fi to stop SMB spraying.
  2. Identify & terminate infpub.dat, cscc.dat, and dispci.exe processes. (These files are dropped early and run as SYSTEM-level services.)
  3. Delete persistence keys:
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cscc
  • Scheduled Tasks: rhaegal, drogon
  1. Boot-clean from offline media (Linux live distro or Windows PE). Reimage system partition or run full AV scan with updated signatures for DiskCryptor-related artefacts.
  2. Re-permission event logs (BadRabbit disables Event Log). Restart Windows Event Log service (EventLog) once cleanup is complete.

3. File Decryption & Recovery

  • Current Feasibility: Files encrypted by BadRabbit are NOT decryptable offline. RSA-2048 + AES-128 (DiskCryptor-based encryption) with per-system unique keys means private keys remain attacker-controlled.
  • Decryptor Availability: No public decryption tool exists. ESET Kaspersky quickly reverse-engineered the RSA key schedule but could only extract the attack public key hard-wired in each sample.
  • Recovery Pathways:
  • Offline backups: Any backup not reachable via SMB on 445/139 at the time of attack remains clean.
  • Tools: Use ShadowExplorer to see if Volume Shadow Copies (VSC) survived the vssadmin delete shadows /all command issued by the malware.
  • Sysinternals Carbonite Windows File Recovery (winfr) can sometimes resurrect whole-file recovery of unencrypted alternate streams.

4. Other Critical Information

  • Unique “DiskCryptor Signature”
    BadRabbit uses the open-source project DiskCryptor to encrypt NTFS/FAT partitions. If you see an artifact named cscc.dat, it is simply a renamed dcryptdrv.sys driver.
  • Kill-Switch Domain Check
    Like WannaCry and NotPetya, BadRabbit checks for a specific hard-coded URL (195.149.147.3/badwolf) before it detonates. Block or sinkhole that IP at the edges—some early Dutch and German infections were halted simply by adding that domain to the DNS-fail list.
  • Tertiary Targeting of Industrial Control Systems
    Later analysis shows specially crafted task-scheduled jobs designed to shut down Windows-based ICS/SCADA workstations (Odessa airport incident 24 Oct 2017).
  • Logging for Forensics
    BadRabbit drops a diagnostics file (C:\Windows\System32\dispci.exe.log) listing victim hostnames and mount-point info. Retain this log for incident response to map lateral movement timelines.

Bottom line: BadRabbit is no longer actively propagating in 2025, but if you inherit a legacy endpoint or work with air-gapped industrial networks in Eastern Europe, prepare for drive remnants. Patching still works; there is no magic decryptor—plan recovery around offline, immutable backups.