Skip to content

S0606 Bad Rabbit

Bad Rabbit is a self-propagating ransomware that affected the Ukrainian transportation sector in 2017. Bad Rabbit has also targeted organizations and consumers in Russia. 213

Item Value
ID S0606
Associated Names
Version 1.0
Created 09 February 2021
Last Modified 12 October 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1548 Abuse Elevation Control Mechanism -
enterprise T1548.002 Bypass User Account Control Bad Rabbit has attempted to bypass UAC and gain elevated administrative privileges.2
enterprise T1110 Brute Force -
enterprise T1110.003 Password Spraying Bad Rabbit’s infpub.dat file uses NTLM login credentials to brute force Windows machines.2
enterprise T1486 Data Encrypted for Impact Bad Rabbit has encrypted files and disks using AES-128-CBC and RSA-2048.2
enterprise T1189 Drive-by Compromise Bad Rabbit spread through watering holes on popular sites by injecting JavaScript into the HTML body or a .js file.12
enterprise T1210 Exploitation of Remote Services Bad Rabbit used the EternalRomance SMB exploit to spread through victim networks.2
enterprise T1495 Firmware Corruption Bad Rabbit has used an executable that installs a modified bootloader to prevent normal boot-up.2
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location Bad Rabbit has masqueraded as a Flash Player installer through the executable file install_flash_player.exe.12
enterprise T1106 Native API Bad Rabbit has used various Windows API calls.1
enterprise T1135 Network Share Discovery Bad Rabbit enumerates open SMB shares on internal victim networks.1
enterprise T1003 OS Credential Dumping -
enterprise T1003.001 LSASS Memory Bad Rabbit has used Mimikatz to harvest credentials from the victim’s machine.1
enterprise T1057 Process Discovery Bad Rabbit can enumerate all running processes to compare hashes.2
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task Bad Rabbit’s infpub.dat file creates a scheduled task to launch a malicious executable.2
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.011 Rundll32 Bad Rabbit has used rundll32 to launch a malicious DLL as C:Windowsinfpub.dat.2
enterprise T1569 System Services -
enterprise T1569.002 Service Execution Bad Rabbit drops a file named infpub.datinto the Windows directory and is executed through SCManager and rundll.exe.
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File Bad Rabbit has been executed through user installation of an executable disguised as a flash installer.12
ics T0817 Drive-by Compromise Bad Rabbit ransomware spreads through drive-by attacks where insecure websites are compromised. While the target is visiting a legitimate website, a malware dropper is being downloaded from the threat actors infrastructure. 5
ics T0866 Exploitation of Remote Services Bad Rabbit initially infected IT networks, but by means of an exploit (particularly the SMBv1-targeting MS17-010 vulnerability) spread to industrial networks. 4
ics T0867 Lateral Tool Transfer Bad Rabbit can move laterally through industrial networks by means of the SMB service. 4
ics T0828 Loss of Productivity and Revenue Several transportation organizations in Ukraine have suffered from being infected by Bad Rabbit, resulting in some computers becoming encrypted, according to media reports. 6
ics T0863 User Execution Bad Rabbit is disguised as an Adobe Flash installer. When the file is opened it starts locking the infected computer. 5

Groups That Use This Software

ID Name References
G0034 Sandworm Team 7