SonicWall Capture Labs Threat Research team became aware of and analyzed the BadRabbit ransomware that has been spreading actively.
Upon execution this malware drops a malicious file onto the following location:
- c:\Windows\infpub.dat [1d724f95c61f1055f0d02c2154bbccd3 - detected as BadRabbit.CM ( Trojan )]
It then runs it using rundll32 as shown above.
infpub.dat contains a list of hardcoded Windows credentials, most likely to brute force and get an entry into the machines.
The malware then proceeds to encrypt files on the system with the following extensions:
This is followed by a system reboot, we see the ransomware screen once the system is back online:
Sonicwall Capture Labs continues to analyze this threat and will update this blog with the latest findings.
Sonicwall Capture Labs detects this threat via the following signatures:
- 1d724f95c61f1055f0d02c2154bbccd3 - GAV: BadRabbit.CM (Trojan)
- b14d8faf7f0cbcfad051cefe5f39645f - GAV: BadRabbit.RSM(Trojan)
- fbbdc39af1139aebba4da004475e8839 - GAV: BadRabbit.DS(Trojan)
|