Videos

Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.

Bad Rabbit Ransomware (File Encryption + Modifying the MBR)

  • Distribution Method : Use exploit infect a Fake flash player update file by visiting website
 
  • MD5 : fbbdc39af1139aebba4da004475e8839
 
  • Major Detection Name : Ransom:Win32/Tibbar.A (Microsoft), Ransom.BadRabbit (Norton)
 
  • Encrypted File Pattern : <Original Filename>.<Original Extension>
 
  • Malicious File Creation Location :
         - C:\Windows\System32\Tasks\drogon
         - C:\Windows\System32\Tasks\rhaegal
         - C:\Windows\System32\viserion_<Number>
         - C:\Windows\cscc.dat
         - C:\Windows\dispci.exe
         - C:\Windows\infpub.dat
         - C:\Windows\<Random>.tmp
 
  • Payment Instruction File : Readme.txt
 
  • Major Characteristics :
         - Offline Encryption
         - NotPetya Ransomware series
         - File encryption using system file (rundll32.exe)
         - File encryption + Full disk encryption + Modifying the MBR
         - Propagation via network
         - Collecting account information using Mimikatz tool
         - Use an invalid "Microsoft Corporation" and "Symantec Corporation" Digital Signatures
         - Targeting Eastern European countries

List

위로