S0606: Bad Rabbit
Bad Rabbit is a self-propagating ransomware that affected the Ukrainian transportation sector in 2017. Bad Rabbit has also targeted organizations and consumers in Russia. [1][2][3]
Analyst context for executives and security teams
Bad Rabbit matters because ATT&CK describes it as self-propagating Windows ransomware associated with real operational disruption, including the Ukrainian transportation sector in 2017 and targets in Russia. For leaders, the key decision value is not the malware name itself; it is whether Windows estates, shared services, identity controls, backups, and IT/ICS segmentation can withstand ransomware that combines user-driven initial access, credential access, lateral movement, and encryption for impact.
Executive priority
Prioritize Bad Rabbit as a resilience and readiness test case for ransomware affecting business continuity and potentially cyber-physical operations. Executives should ask whether the organization can prove: Windows endpoint visibility, protected credential stores, monitored remote service use, controlled SMB/network shares, recoverable backups, and clear incident procedures for rapid isolation. Because ATT&CK links this malware to ICS impact techniques such as Loss of Productivity and Revenue, organizations with operational technology should validate IT-to-OT separation and downtime response evidence, not just endpoint malware prevention.
Technical view
ATT&CK lists Bad Rabbit on Windows and relates it to techniques spanning drive-by compromise, malicious file execution, LSASS memory access, password spraying, scheduled tasks, process and network share discovery, lateral tool transfer, exploitation of remote services, service execution, rundll32 proxy execution, UAC bypass, data encryption for impact, firmware corruption, and ICS loss of productivity/revenue. SOC and IR teams should validate visibility across the full chain: browser/download activity, suspicious Windows process execution, credential access attempts against LSASS, abnormal authentication patterns, SMB/share enumeration and file transfer, service or scheduled task creation, and rapid file encryption or availability-impacting changes.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- Windows service creation and service control manager activity
- Scheduled task creation, modification, and execution events
- Rundll32 execution context and child process relationships
- LSASS access events and endpoint security alerts related to credential dumping behavior
Detection direction
- Map detection coverage to the ATT&CK relationships rather than relying on a single Bad Rabbit signature, since official ATT&CK detection text is not provided.
- Correlate user execution or drive-by delivery signals with follow-on Windows behaviors such as scheduled tasks, service execution, rundll32 activity, discovery, credential access, and lateral movement.
- Tune for ransomware behavior on shared storage: rapid file modification, encryption-like write patterns, and activity from unusual hosts or accounts.
- Validate alerting for LSASS access and abnormal authentication attempts, while accounting for legitimate administration and security tooling to reduce false positives.
- Review SMB and network share discovery baselines; administrative scanning and backup operations can look noisy, so detections should consider source host, account role, timing, and follow-on execution.
Mitigation priorities
- Strengthen ransomware recovery first: maintain tested, protected backups and rehearsed restoration procedures for critical Windows systems and shared data.
- Reduce lateral movement opportunity by limiting SMB exposure, enforcing least privilege, and segmenting critical business and OT networks from general user workstations.
- Harden identity controls against credential access and password spraying through strong authentication policy, privileged account controls, and monitoring of broad login attempts.
- Restrict or monitor administrative execution paths commonly abused in the related techniques, including scheduled tasks, service creation, rundll32, and remote service execution.
- Patch and vulnerability-manage remotely reachable services to reduce exploitation paths used for lateral movement.
Analyst notes and limits
This take is based on ATT&CK S0606 Bad Rabbit, its official description, external references from Secure List, ESET, Dragos, and the supplied relationships to Sandworm Team and related ATT&CK techniques. The most defensible use for defenders is as a ransomware behavior coverage checklist across Windows endpoint, identity, lateral movement, shared storage, and IT/ICS resilience.
MITRE does not provide official detection text for this object, and the object itself lists tactics as not specified. Several related technique descriptions are general ATT&CK technique descriptions rather than Bad Rabbit-specific procedure detail. Local validation, telemetry availability, asset criticality, and environment-specific baselines are required before claiming coverage or exposure.
Bad Rabbit
Bad Rabbit is a self-propagating ransomware that affected the Ukrainian transportation sector in 2017. Bad Rabbit has also targeted organizations and consumers in Russia. [1][2][3]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1486 | Data Encrypted for Impact | Bad Rabbit has encrypted files and disks using AES-128-CBC and RSA-2048.CitationSecure List Bad Rabbit |
| Enterprise | T1110.003 | Password Spraying Sub-technique | Bad Rabbit’s |
| Enterprise | T1495 | Firmware Corruption | Bad Rabbit has used an executable that installs a modified bootloader to prevent normal boot-up.CitationSecure List Bad Rabbit |
| Enterprise | T1569.002 | Service Execution Sub-technique | Bad Rabbit drops a file named |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | Bad Rabbit’s |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | Bad Rabbit has masqueraded as a Flash Player installer through the executable file |
| Enterprise | T1189 | Drive-by Compromise | Bad Rabbit spread through watering holes on popular sites by injecting JavaScript into the HTML body or a |
| Enterprise | T1003.001 | LSASS Memory Sub-technique | Bad Rabbit has used Mimikatz to harvest credentials from the victim's machine.CitationESET Bad Rabbit |
| Enterprise | T1548.002 | Bypass User Account Control Sub-technique | Bad Rabbit has attempted to bypass UAC and gain elevated administrative privileges.CitationSecure List Bad Rabbit |
| Enterprise | T1057 | Process Discovery | Bad Rabbit can enumerate all running processes to compare hashes.CitationSecure List Bad Rabbit |
| Enterprise | T1135 | Network Share Discovery | Bad Rabbit enumerates open SMB shares on internal victim networks.CitationESET Bad Rabbit |
| Enterprise | T1210 | Exploitation of Remote Services | Bad Rabbit used the EternalRomance SMB exploit to spread through victim networks.CitationSecure List Bad Rabbit |
| Enterprise | T1218.011 | Rundll32 Sub-technique | Bad Rabbit has used rundll32 to launch a malicious DLL as |
| Enterprise | T1204.002 | Malicious File Sub-technique | Bad Rabbit has been executed through user installation of an executable disguised as a flash installer.CitationESET Bad RabbitCitationSecure List Bad Rabbit |
| Enterprise | T1106 | Native API | Bad Rabbit has used various Windows API calls.CitationESET Bad Rabbit |
Groups, software, and campaigns
G0034: Sandworm Team
Sandworm Team is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.[1][2] This group has been active since at least 2009.[3][4][5][6]
In October 2020, the US indicted six GRU Unit 74455 officers associated with Sandworm Team for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide NotPetya attack, targeting of the 2017 French presidential campaign, the 2018 Olympic Destroyer attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019.[1][2] Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as APT28.[7]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 7a9204e572f8… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Secure List Bad Rabbit
Mamedov, O. Sinitsyn, F. Ivanov, A.. (2017, October 24). Bad Rabbit ransomware. Retrieved January 28, 2021.
Open source URL -
[2]
ESET Bad Rabbit
M.Léveille, M-E.. (2017, October 24). Bad Rabbit: Not‑Petya is back with improved ransomware. Retrieved January 28, 2021.
Open source URL -
[3]
Dragos Apr 2019
Joe Slowik. (2019, April 10). Implications of IT Ransomware for ICS Environments. Retrieved October 27, 2019.
Open source URL -
[4]
mitre-attack S0606Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.