BadRabbit Ransomware and How to Stay Secure

Since the morning of October 24th, a new ransomware attack named BadRabbit began spreading through Russia, Ukraine, and on a smaller scale in Germany and Turkey. Among the affected networks were Ukraine’s Ministry of Infrastructure, Kiev’s public transportation system, the Russian news service Interfax and others.

It seems that the attack is based on user deception, rather than exploitation of a vulnerability. While a user is browsing a legitimate Russian news site the user is transferred to a site controlled by the attackers (a watering hole attack). This site requires the victim to download and install a bogus Adobe Flash installer file, through which the user unknowingly infects his or her’s own machine. Meaning, the user himself must initiate the ransomware’s activation, as it does not activate automatically.



KELA recommends taking the following steps, to ensure your network’s security:

  • Update any anti virus engines at endpoints, servers and email servers.
  • Create a file named “c:\windows\cscc.dat” or “c:\windows\infpub.dat” and remove all write permissions including the inheritance permission which could prevent infection

Additional steps for enterprises:

  • Block traffic from the ransomware’s distribution servers whose domain is hxxp://1dnscontrol[.]com or the IP 5[.]61[.]37[.]209
  • It is recommended to prevent users from downloading EXE files directly to their end points by using appropriate proxy settings.
  • If possible, prevent SMB traffic between user end points in the organization. SMB traffic should only be performed between users and different servers.
  • If the organization has any VPN connected to networks in Ukraine, it is recommended to increase the monitoring on this link and consider neutralizing it until the extent of the attack becomes clear.
  • Utilize a user management mechanism with local administrator privileges in user end points, so that each end point has a different password that changes with some frequency.

KELA has identified several Indicators of Compromise:

  • 1dnscontrol[.]com (5[.]61[.]37[.]209)
  • hxxp://
  • hxxp://
    • md5: b14d8faf7f0cbcfad051cefe5f39645f
    • sha1: afeee8b4acff87bc469a6f0364a81ae5d60a2add
    • sha256: 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93
  • Dropper
    • md5: fbbdc39af1139aebba4da004475e8839
    • sha1: de5c8d858e6e41da715dca1c019df0bfb92d32c0
    • sha256: 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

About Kela and the RaDark

KELA Targeted Cyber Intelligence is a leading provider of targeted cyber intelligence, based in Tel Aviv, Israel. We specialize in providing our clients with intelligence about cyber threats that are specifically targeting them (exposed IT systems, breached employee credentials, product vulnerabilities etc.). We do this using the RaDark technology that we’ve developed – an automated cloud based technology, which uses custom-built web crawlers for continuously monitoring Darknet sources. In addition, our defense-force trained intelligence analysts provide tailored reporting and incident response services, acting as a real time extension of the clients’ team. Our intelligence is used by some of the world’s largest banks, telecoms, auto manufacturers and more.