The malware uses drive-by downloads as a vector of infection. Users are directed to a compromised website requesting a flash update. This fake update leads users to the dropper site hxxp://1dnscontrol[.]com/flash_install.php where the malware is hosted. The download file named install_flash_update.exe needs to be manually run by the user using administrator privileges. Once infected, the malware is capable of infecting other computers in the network.
The encryption module used is based on the open source software DiskCryptor to lock the files. The encryption algorithms used are AES-128-CBC and RSA-2048. According to security researchers at Crowdstrike, Bad Rabbit is based off the Petya/NotPetya Ransomware that ravaged the entire world earlier this year. The new ransomware shares at least 60 percent of the code from the original Petya/NotPetya. This variant, however, is missing the infamous NSA tool Eternal Blue. Another interesting addition in the code is the inclusion of variables with the names of the dragons of Game of Thrones.
Many major organizations in Russia and Ukraine have been affected. According to analysts at Kaspersky Labs, these attacks seem to be explicitly targeting corporate networks. In Russia, three media organizations have been affected by the Bad Rabbit. Meanwhile, in Ukraine, key infrastructure like Kiev’s Metro and the Odessa International Airport have reported being affected by the malware’s campaign. Other countries where Bad Bunny has been detected include South Korea, Turkey, Poland, Japan, Bulgaria, Germany and the United States.
Code aside, there are a number of factors that make Bad Bunny’s malware campaign and the Petya/NotPetya outbreak similar. For starters, this outbreak began its expansion mostly in Russia and Ukraine just like the former. Furthermore, organizations previously affected by Petya/NotPetya like Kiev’s Metro system and the Odessa International Airport are beign targeted again. While Bad Bunny is not on the same level as WannaCry and NotPetya in terms of spread, it still has infected a wide number of organizations and individuals. However, it is expected that the number of infections will rise in the coming days.