Infection took place after visiting compromised legitimate sites. Group-IB identified that Bad Rabbit was spread via web traffic from compromised media sites, amongst them were:http://www.fontanka.ru/http://argumenti.ruhttp://argumentiru.com
The user was displayed a window with a suggestion to update FlashPlayer. If the user agreed to this update, a malicious file named install_flash_player.exe is downloaded: (FBBDC39AF1139AEBBA4DA004475E8839 - MD5 hash), and infects the host.
For decryption the attacks requested 0,05 bitcoin (at current exchange rates this is around 283 USD). After infection the malware raised privileges on the local machine for spreading. On local network this took place by SMB, using extraction of LSASS passwords from the compromised computer, or an internal password library.
After infection, the victim sees the following window: