What is Bad Rabbit? Understanding the 2017 ransomware attack

Ray Fernandez

Aug 4, 20235 min read

What is Bad Rabbit? Understanding the 2017 ransomware attack (Header image)

The first ransomware attack was registered in 1989. Back then, attackers encrypted files and held them hostage in exchange for payment that had to be mailed to a P.O. box. It was not until late 2010 — with the emergence of cryptocurrencies — that ransomware attacks became mainstream. By 2017, ransomware had surged. And one of the most infamous ransomware attacks of that year was the Bad Rabbit ransomware.

What happened during the Bad Rabbit attack in 2017?

Bad Rabbit first appeared on October 24, 2017. The attack was widespread, affecting Europe, Turkey, Germany, the United States, and Japan. However, the most affected countries were Russia and Ukraine. Bad Rabbit infected Russian media organizations and critical infrastructure and transportation systems in Ukraine within hours.  

Bad Rabbit spread like wildfire, affecting over 200 organizations. The malware arose just months after two major international attacks, Petya and Wannacry. The Cybersecurity and Infrastructure Security Agency (CISA) warned that Bad Rabbit contained malware code of Petya, which had disrupted several sectors, including finance, transportation, energy, commercial facilities, and healthcare.

Understanding Bad Rabbit malware

Ransom:Win32/Tibbar.A, popularly known as Bad Rabbit, appears as a fake Adobe Flash Player update and is coded to reboot your computer and encrypt your files.

The approach it uses — tricking users by mimicking official-looking organizations — is known as social engineering. Stone Fly explains that Bad Rabbit shares 67% of the code of the Petya/NotPetya ransomware.

What type of malware is Bad Rabbit?

Bad Rabbit is ransomware. Like all ransomware, it breaches a computer through social engineering or by finding vulnerabilities. Its main goal is to encrypt files and demand a ransom in exchange for their restoration.

This malware is also considered a trojan, meaning it looks legitimate but is designed to take control of your computer. A trojan can open backdoors, spread through networks, encrypt files, download additional malware, and do much more. This can disrupt data, steal data, or damage your computer or network.

What does Bad Rabbit do?

The Bad Rabbit ransomware trojan is designed to breach your system, encrypt your files, and block you from using the computer. In 2017, the ransom set by Bad Rabbit attackers was 0.05 Bitcoins, which was about $290. That would amount to about $1,070 today.

The malware uses a technique called a watering hole attack, in which cybercriminals target a group of users, organizations, or companies by infecting websites that members of the group visit. When a user visits an infected website, the Bad Rabbit malware automatically launches, presenting itself as a pop-up window simulating a notice to update Adobe Flash. 

If the user executes the request, Bad Rabbit finds its way into the system. Once inside, it begins encrypting files and forces a reboot of the computer. Once the computer reboots, the ransomware displays a message on the screen and does not allow you to use it or access your data. The message demands payment in exchange for the decryption password. The Bad Rabbit message reads:

“Oops! Your files have been encrypted. If you see this text, your files are no longer accessible. You might have been looking for a way to recover your files. Don’t waste your time. No one will be able to recover them without our decryption service. We guarantee that you can recover all your files safely. All you need to do is submit the payment and get the decryption password.”

The trojan ransomware is also crafty when it comes to spreading. It can collect passwords and force its way through systems using simple username and password combinations. 

Who created Bad Rabbit?

To date, no one knows for sure who created Bad Rabbit. However, due to the similarities it shares in its coding with the Petya attack, several experts suggest that the source of the ransomware malware could be the same. 

Some reports claim that Janus Cybercrime Solutions, supposedly a group based in Russia, was behind the Petya malware. However, other reports assure that the Janus group only sold a similar code that was modified to launch the attack. 

Tom’s Guide reports that Russian hackers are behind the Petyattack and that the goal was never economic profit but to disrupt the Ukrainian economy.

How does Bad Rabbit spread?

When users execute the malware, it goes into the System Root folder and runs an auto-executable file. Then the malware launches DiskCryptor and begins encrypting the registry of a system. It also creates scheduled tasks to run the encryption program upon every start or reboot of the computer. To encrypt, it searches each drive or disc and encrypts files, creating new extensions such as .3ds, .7z, .accdb, .p12, .rar, .vmtm, ..xlsx, .zip, and many others. 

Besides spreading through infected sites by simulating an Adobe Flash update request, Bad Rabbit can also infect other computers linked to a network. To spread through the network, it uses a hardcoded set of usernames and passwords and forces its way through. 

What to do if you fall victim to Bad Rabbit

Bad Rabbit is only able to breach and encrypt a Windows OS. However, macOS users who use Boot Camp to run Windows on their Mac can fall victim to the trojan ransomware. 

You may not realize that you are infected with ransomware until it is too late. However, if you are being targeted by a ransomware attacker, you might notice some signs. For example, if you are being redirected to strange websites, see unwanted pop-ups and suspicious update requests, or receive messages from unknown sources.  

If Bad Rabbit has infected your computer, here’s what you can do:

  • Before the code forces a reboot, shut your computer down and run an offline scan with trusted anti-malware. 
  • Never pay a ransom. Payment does not guarantee you will recover your files.
  • Always back up your files and systems. You can always reboot your computer to factory settings and restore everything.

To protect your Mac from malware, including various ransomware, consider using an anti-malware tool like CleanMyMac X, powered by Moonlock Engine. It has real-time protection, as well as anti-malware scanning and removal functions. It will keep your Mac and personal files safe.

The Malware Removal module in CleanMyMac X, powered by Moonlock Engine

Bad Rabbit taught the cybersecurity community that ransomware will continue to evolve and that users must constantly update their security systems and be vigilant to keep their files safe. Having a reliable anti-malware tool will help you identify ransomware before it executes, isolate it, and quarantine the malicious code to remove or detonate it. And to stay aware of other notorious malware threats, take a look at this overview of the NanoCore RAT we published earlier.

Ray Fernandez Ray Fernandez
Ray has been covering tech and cybersecurity for over 15 years. His work has appeared on TechRepublic, VentureBeat, Forbes, Entrepreneur, and the Microsoft Blog, among others.