The BRabbit Lab offers a comprehensive scenario simulating a sophisticated ransomware attack designed to challenge investigators in uncovering its intricacies. In this case, Drumbo, a company targeted by a malicious campaign, fell victim to the ransomware identified as part of the Bad Rabbit family. The attack commenced with a deceptive phishing email that exploited social engineering techniques, leveraging a spoofed domain and urgent messaging to deceive an employee into executing a malicious attachment.
Once executed, the ransomware demonstrated advanced capabilities, including creating persistence mechanisms through scheduled tasks such as rhaegal and drogon to execute malicious binaries (dispci.exe). It employed DiskCryptor to modify the Master Boot Record (MBR) and encrypt the victim’s hard drive, rendering systems unbootable and displaying a ransom note. The ransomware further reinforced its operations by communicating with a US-based server categorized as a Vulnerability Scanner, identified by the IP address 192.229.221.95, to potentially probe and exploit system weaknesses.
This lab highlights the tactics, techniques, and procedures (TTPs) associated with the Sandworm (aka TeleBots) APT group, known for leveraging sophisticated methods to cause maximum disruption. Participants will explore techniques documented in the MITRE ATT&CK framework, such as