An attack by the extortionist Badrabbit: Details and Method of Protection

As previously reported «Kaspersky laboratory», The attack is aimed primarily at corporate networks. For decoding files, attackers require 0.05 bitcoin, which at the modern rate is about $ 280, or about 16 thousand. rubles.

According to the ESET viral laboratory, Badrabbit’s attacks (Diskcoder.D) were subjected to media, transport companies and state institutions. «ESET telemetry system currently fixes hundreds of Diskcoder attacks.D. Most of ESET antivirus products fall on Russia and Ukraine, Turkey, Bulgaria and some other countries are also affected», — The message says.

«Kaspersky laboratory» I have already suggested that the Badrabbit attack may be associated with Expetr cybercard (aka Petya or NotPetya). Now this information is confirmed by Group-IB experts. In particular, it was found that Badrabbit is a modified version of notpetya with fixed errors in the encryption algorithm. Badrabbit code includes parts completely repeating notpetya.

Group-IB experts found that the malicious program was distributed using web traffic from hacking Internet resources. On such sites, a JavaScript-Injected, which demonstrated to visitors, a fake window, offering to install the update of the Adobe Flash player, was uploaded to the HTML code. In case of consent, there was a download and launch of a malicious file.

Badrabbit has a distribution module using the SMB protocol. It was also established that the attack uses the Mimikatz program, which intercepts login and passwords on the infected machine.

To protect against Badrabbit, experts recommend creating a C: \ Windows \ Infpub file.DAT and set the attribute for it «only for reading». After that, even in case of infection, the files will not be encrypted. Of course, it is impossible to neglect antivirus agents and update the operating system, as well as security tools.

Some additional details about the Badrabbit cybercard can be found here.


  • Group-Ib
  • Kaspersky laboratory

Leave a Reply

Your email address will not be published. Required fields are marked *