Ransomware virus Bad Rabbit, which the Russian media were attacked the day before, tried to attack Russian banks from the top 20, Group-IB, which investigates and prevents cybercrimes, told Forbes. A company representative refused to clarify details about attacks on credit institutions, explaining that Group-IB does not disclose information about clients using its intrusion detection system.
According to cybersecurity experts, attempts to infect the infrastructures of Russian banks with a virus occurred on October 24 from 13:00 to 15:00 Moscow time. Group-IB believes that cyber attacks demonstrated better protection for banks compared to companies in the non-banking sector. Earlier, the company reported that a new ransomware virus, likely related to the June epidemic of the NotPetya ransomware (this is indicated by coincidences in the code), attacked the Russian media. It was about information systems Interfax agency, as well as the servers of the St. Petersburg news portal Fontanka. In addition, the virus hit the systems of the Kyiv metro, the Ministry of Infrastructure of Ukraine, and the Odessa International Airport. NotPetya hit energy, telecommunications and financial companies primarily in Ukraine over the summer. For decrypting files infected with the BadRabbit virus, attackers demand 0.05 bitcoin, which at the current exchange rate is approximately equivalent to $283 or 15,700 rubles.
Kaspersky Lab clarified that this time the hackers chose most of the victims in Russia. However, the company recorded similar attacks in Ukraine, Turkey and Germany, but “in significantly smaller numbers.” “All signs point to this being a targeted attack on corporate networks. Methods similar to those we observed in the ExPetr attack are used, but we cannot confirm the connection with ExPetr,” a company representative said. The Forbes source added that all Kaspersky Lab products “detect these malicious files as UDS:DangerousObject.Multi.Generic.”
How to protect yourself?
In order to protect against this attack, Kaspersky Lab recommended using an antivirus with KSN enabled and the System Monitoring module. “If a Kaspersky Lab security solution is not installed, we recommend blocking the execution of files named c:\windows\infpub.dat and C:\Windows\cscc.dat using system administration tools,” advised the head of the anti-virus research department at the Laboratory Kaspersky" Vyacheslav Zakorzhevsky.
Group-IB notes that to prevent the virus from encrypting files, “you must create the file C:\windows\infpub.dat and give it read-only rights.” After this, even if infected, the files will not be encrypted, the company said. At the same time, it is necessary to quickly isolate computers that have been detected sending such malicious files in order to avoid large-scale infection of other computers connected to the network. After this, users need to ensure that the backup copies of key network nodes are up-to-date and intact.
When the initial steps are completed, the user is advised to update operating systems and security systems, while simultaneously blocking IP addresses and domain names, from which malicious files were distributed. Group-IB recommends changing all passwords to more complex ones and blocking pop-up windows, as well as prohibiting storing passwords in clear text in LSA Dump.
Who is behind the BadRabbit attack
In 2017, two major ransomware epidemics were already recorded - WannaCry (attacked 200,000 computers in 150 countries) and ExPetr. The latter is Petya and at the same time NotPetya, Kaspersky Lab notes. Now, according to the company, “the third is beginning.” The name of the new Bad Rabbit ransomware virus “is written on a page on the darknet, to which its creators send for clarification of details,” the company clarifies. Group-IB believes that Bad Rabbit is a modified version of NotPetya with errors in the encryption algorithm corrected. In particular, the Bad Rabbit code includes blocks that are completely identical to NotPetya.
ESET Russia agrees that the malware used in the attack, “Win32/Diskcoder.D,” is a modified version of “Win32/Diskcoder.C,” better known as Petya/NotPetya. As Vitaly Zemskikh, head of sales support at ESET Russia, explained in a conversation with Forbes, the statistics of attacks by country “largely corresponds to the geographical distribution of sites containing malicious JavaScript.” Thus, the majority of infections occurred in Russia (65%), followed by Ukraine (12.2%), Bulgaria (10.2%), Turkey (6.4%) and Japan (3.8%).
Infection with the Bad Rabbit virus occurred after visiting hacked sites. Hackers loaded the compromised resources with a JavaScript injection into the HTML code, which showed visitors a fake window prompting them to install an Adobe update. Flash player. If the user agreed to the update, a malicious file named “install_flash_player.exe” was installed on the computer. "Infecting workstation within an organization, the encryptor can be distributed within the corporate network via the SMB protocol. Unlike its predecessor Petya/NotPetya, Bad Rabbit does not use the EthernalBlue exploit - instead it scans the network for open network resources", says Zemskikh. Next, the Mimikatz tool is launched on the infected machine to collect credentials. In addition, there is a hard-coded list of logins and passwords.
There is no information yet about who organized the hacker attacks. At the same time, according to Group-IB, similar mass attacks WannaCry and NotPetya could be associated with hacker groups, funded by states. Experts draw this conclusion on the basis that the financial benefits of such attacks are “negligible” compared to the complexity of their implementation. “Most likely, these were not attempts to make money, but to test the level of protection of critical infrastructure networks of enterprises, government agencies and private companies,” experts conclude. A representative of Group-IB confirmed to Forbes that the latest virus - Bad Rabbit - may turn out to be a test of the protection of infrastructures of government departments and businesses. “Yes, it is not excluded. Considering that the attacks were carried out in a targeted manner - on critical infrastructure facilities - the airport, the metro, government agencies,” explains Forbes’ interlocutor.
Answering the question about those responsible for the latest attack, ESET Russia emphasizes that using only the tools of an antivirus company, it is impossible to conduct a high-quality investigation and identify those involved; this is the task of specialists of a different profile. “As an antivirus company, we identify methods and targets of attacks, malicious tools of attackers, vulnerabilities and exploits. Finding the culprits, their motives, nationality, etc. is not our responsibility,” said a company representative, promising to draw conclusions about the appointment of Bad Rabbit based on the results of the investigation. “Unfortunately, in the near future we will see many similar incidents - the vector and scenario of this attack have shown high efficiency,” ESET Russia predicts. Forbes' interlocutor recalls that for 2017 the company predicted an increase in the number of targeted attacks on the corporate sector, primarily on financial organizations (by more than 50%, according to preliminary estimates). “These predictions are now coming true, we are seeing an increase in the number of attacks coupled with an increase in damage to the affected companies,” he admits.
Hi all! Just the other day, a large-scale hacker attack began in Russia and Ukraine, Turkey, Germany and Bulgaria using the new encrypting virus Bad Rabbit, also known as Diskcoder.D. Encryptor on this moment attacks corporate networks of large and medium-sized organizations, blocking all networks. Today we will tell you what this Trojan is and how you can protect yourself from it.
What kind of virus?
Bad Rabbit operates according to a standard scheme for ransomware: once it enters the system, it encodes files, for decryption of which hackers demand 0.05 bitcoin, which at the exchange rate is $283 (or 15,700 rubles). This is reported in a separate window, where you actually need to enter the purchased key. The threat is a type of Trojan Trojan.Win32.Generic, however it also contains other components, such as DangerousObject.Multi.Generic And Ransom.Win 32.Gen.ftl.
Bad Rabbit – a new ransomware virus
It is still difficult to completely trace all sources of infection, but experts are now working on this. Presumably, the threat reaches the PC through infected sites on which redirection is configured, or under the guise of fake updates for popular plugins such as Adobe Flash. The list of such sites is only expanding.
Is it possible to remove a virus and how to protect yourself?
It’s worth saying right away that at the moment everything antivirus laboratories We started analyzing this Trojan. If you specifically look for information on virus removal, then there is none as such. Let’s immediately discard the standard advice - make a backup of the system, a return point, delete such and such files. If you don’t have saves, then everything else doesn’t work; hackers, due to the specifications of the virus, have thought through such moments.
I think that decryptors for Bad Rabbit made by amateurs will soon be distributed - whether you use these programs or not is your own choice. As the last one showed Petya ransomware, this doesn't help anyone.
But you can prevent the threat and remove it when you try to get into your PC. Kaspersky and ESET laboratories were the first to respond to reports of a viral epidemic and are already blocking penetration attempts. Google Browser Chrome has also begun to detect infected resources and warn about their danger. Here's what you need to do to protect yourself from BadRabbit first:
- If you use Kaspersky, ESET, Dr.Web, or other popular analogs for protection, then you must update the databases. Also, for Kaspersky you need to enable “Activity Monitor” (System Watcher), and in ESET apply signatures with update 16295.
- If you do not use antiviruses, then you need to block file execution C:\Windows\infpub.dat And C:\Windows\cscc.dat. This is done through the editor group policies, or the AppLocker program for Windows.
- Be sure to do backup copy your system. In theory, a copy should always be stored on the connected media. Here is a short video instruction on how to create it.
It is advisable to disable the execution of the service - Windows Management Instrumentation (WMI). In the top ten the service is called "Tools Windows management” . Through right button go to the service properties and select “Startup type” mode “Disabled”.
Conclusion
In conclusion, it is worth saying the most important thing - you should not pay the ransom, no matter what you have encrypted. Such actions only encourage scammers to create new virus attacks. Monitor the forums of antivirus companies, who, I hope, will soon study the Bad Rabbit virus and find an effective pill. Be sure to follow the above steps to protect your OS. If you have any difficulties in completing them, please write in the comments.
Update 10/27/2017. Assessing the decryption capability. Possibility of file recovery. Verdicts.
What happened?
On Tuesday, October 24, we received notifications of massive attacks using the Bad Rabbit ransomware. Organizations and individual users were affected - mainly in Russia, but there were also reports of victims from Ukraine. This is the message victims see:
What is Bad Rabbit?
Bad Rabbit belongs to a previously unknown family of ransomware.
How is it distributed?
The malware is spread using a drive-by attack: the victim visits a legitimate website, and . The criminals did not use , so to get infected the user had to manually run a file disguised as an Adobe Flash installer. However, our analysis confirms that Bad Rabbit used the EternalRomance exploit to spread within corporate networks. The same exploit was used by the ExPetr ransomware.
We have discovered a number of hacked resources - they all represent news portals and media sites.
Who is the attack aimed at?
Most of the victims are in Russia. Similar, but less massive attacks affected other countries - Ukraine, Turkey and Germany. The total number of targets, according to KSN statistics, reaches 200.
When did Kaspersky Lab discover the threat?
We were able to trace the original vector of the attack at its very beginning, on the morning of October 24th. The active phase lasted until noon, although individual attacks were recorded until 19.55 Moscow time. The server from which the Bad rabbit dropper was distributed was shut down that evening.
How is Bad Rabbit different from the ExPetr ransomware? Or is it the same malware?
According to our observations, now we are talking about a targeted attack on corporate networks, its methods are similar to those used during. Moreover, analysis of the Bad Rabbit code demonstrated its marked similarity to the ExPetr code.
Technical details
According to our data, the ransomware will spread through a drive-by attack. The ransomware dropper is downloaded from hxxp://1dnscontrol[.]com/flash_install.php.
Victims are redirected to this malicious resource from legitimate news sites.
The victim must run the downloaded install_flash_player.exe file manually. To function properly, the file requires administrator rights, which it requests through a standard UAC notification. When launched, the malware saves the malicious DLL as C:Windowsinfpub.dat and runs it via rundll32.
Pseudocode of the malicious DLL installation procedure
Apparently, the infpub.dat library brute-forces NTLM credentials to Windows machines with pseudo-random IP addresses.
Hardcoded list of credentials
The infpub.dat library also installs a malicious executable file dispci.exe V C:Windows and creates a task to run it.
Pseudocode of the procedure that creates the task of launching a malicious executable file
Moreover, infpub.dat acts like a typical ransomware: it finds the victim’s data using a built-in list of extensions and encrypts the files with a public 2048-bit RSA key owned by the attackers.
Attackers' public key and list of extensions
Public key parameters:
Public-Key: (2048 bit)
Modulus:
00:e5:c9:43:b9:51:6b:e6:c4:31:67:e7:de:42:55:
6f:65:c1:0a:d2:4e:2e:09:21:79:4a:43:a4:17:d0:
37:b5:1e:8e:ff:10:2d:f3:df:cf:56:1a:30:be:ed:
93:7c:14:d1:b2:70:6c:f3:78:5c:14:7f:21:8c:6d:
95:e4:5e:43:c5:71:68:4b:1a:53:a9:5b:11:e2:53:
a6:e4:a0:76:4b:c6:a9:e1:38:a7:1b:f1:8d:fd:25:
4d:04:5c:25:96:94:61:57:fb:d1:58:d9:8a:80:a2:
1d:44:eb:e4:1f:1c:80:2e:e2:72:52:e0:99:94:8a:
1a:27:9b:41:d1:89:00:4c:41:c4:c9:1b:0b:72:7b:
59:62:c7:70:1f:53:fe:36:65:e2:36:0d:8c:1f:99:
59:f5:b1:0e:93:b6:13:31:fc:15:28:da:ad:1d:a5:
f4:2c:93:b2:02:4c:78:35:1d:03:3c:e1:4b:0d:03:
8d:5b:d3:8e:85:94:a4:47:1d:d5:ec:f0:b7:43:6f:
47:1e:1c:a2:29:50:8f:26:c3:96:d6:5d:66:36:dc:
0b:ec:a5:fe:ee:47:cd:7b:40:9e:7c:1c:84:59:f4:
81:b7:5b:5b:92:f8:dd:78:fd:b1:06:73:e3:6f:71:
84:d4:60:3f:a0:67:06:8e:b5:dc:eb:05:7c:58:ab:
1f:61
Exponent: 65537 (0x10001)
style="font-family: Consolas,Monaco,monospace;">
The executable file dispci.exe appears to be based on code from the legitimate DiskCryptor utility. It acts as a disk encryption module and installs a modified bootloader in parallel, blocking the normal boot process of the infected system.
During the analysis of samples of this threat, we noted an interesting detail: apparently, the authors malware are fans of Game of Thrones. Some lines in the code represent the names of characters from this universe.
Names of dragons from Game of Thrones
Names of characters from Game of Thrones
Encryption scheme
As we already mentioned, Bad Rabbit ransomware encrypts files and HDD victims. The following algorithms are used for files:
- AES-128-CBC
- RSA-2048
This is a typical scheme used by ransomware.
Interestingly, the ransomware lists everything running processes and compares the hash on behalf of each process with the list of hashes it has. The hashing algorithm used is similar to the one used by the exPetr malware.
Comparison of Bad Rabbit and ExPetr hashing procedures
Special branch of program execution
Runtime Flag Initialization Procedure
Full list of hashes from process names:
| Hash | Process name |
| 0x4A241C3E | dwwatcher.exe |
| 0x923CA517 | McTray.exe |
| 0x966D0415 | dwarkdaemon.exe |
| 0xAA331620 | dwservice.exe |
| 0xC8F10976 | mfevtps.exe |
| 0xE2517A14 | dwengine.exe |
| 0xE5A05A00 | mcshield.exe |
Partitions on the victim's hard drive are encrypted using the dcrypt.sys driver of DiskCryptor (it is loaded into C:Windowscscc.dat). The encryptor sends the necessary IOCTL codes to this driver. Some functions are taken “as is” from the DiskCryptor source (drv_ioctl.c), while others appear to have been added by the malware’s developers.
Disk partitions are encrypted by the DiskCryptor driver using AES in XTS mode. The password is generated by dispci.exe using the WinAPI CryptGenRandom function and is 32 characters long.
Assessing decryption capability
Our data suggests that Bad rabbit, unlike ExPetr, was not created as a viper (we wrote earlier that the creators of ExPetr are technically unable to decrypt MFT encrypted using GoldenEye). The malware's algorithm assumes that the attackers behind Bad rabbit have the necessary decryption tools.
The data that appears on the infected machine's screen as "personal installation key#1" is an RSA-2048 encrypted and base64 encoded binary structure that contains the following information from the infected system:
Attackers can use their RSA private key to decrypt this structure and send the disk decryption password to the victim.
Please note that the value of the id field that is passed to dispci.exe is simply a 32-bit number used to distinguish between infected computers, and not the AES key for disk encryption, as some reports published on the Internet have said.
During the analysis process, we extracted the password created by the malware under debugging and tried to use it on a locked system after rebooting - the password matched and the download continued.
Unfortunately, it is impossible to decrypt data on disks without an attacker’s RSA-2048 key: symmetric keys are securely generated on the malicious side, which in practice eliminates the possibility of their selection.
However, we discovered a bug in the dispci.exe code: the generated password is not removed from memory, which gives little chance of retrieving it before the dispci.exe process terminates. In the screenshot below, you will notice that while the dc_pass variable (which will be passed to the driver) will be securely erased after use, this is not the case for the rand_str variable, which contains a copy of the password.
Pseudo code for a procedure that generates a password and encrypts disk partitions
File encryption
As we have already written, the Trojan uses a typical file encryption scheme. It generates a random string of 32 bytes in length and uses it in the key derivation algorithm. Unfortunately, the CryptGenRandom function is used to create this string.
Key derivation algorithm
The encrypted password, along with information about the infected system, is written to the Readme file as “personal installation key#2”.
Interesting fact: the malware does not encrypt files with the Read-Only attribute.
Ability to recover files
We discovered that Bad Rabbit does not delete shadow copies files after they are encrypted. This means that if the service shadow copying was enabled before infection and full disk encryption did not occur for some reason, the victim can recover encrypted files using standard means Windows or third party utilities.
Shadow copies unaffected by Bad Rabbit
Kaspersky Lab experts analyze the ransomware in detail to find possible flaws in its cryptographic algorithms.
Kaspersky Lab corporate clients are recommended to:
- check that all mechanisms are turned on according to the recommendations; Separately, make sure that the KSN and “System Monitoring” components are not disabled (they are active by default);
- promptly update anti-virus databases.
This should be enough. But as additional precautions, we recommend:
- prohibit execution of the files C:Windowsinfpub.dat and C:Windowscscc.dat in Kaspersky Endpoint Security.
- configure and enable the "Default Deny" mode in the "Application Launch Control" component in Kaspersky Endpoint Security.
Kaspersky Lab products define this threat as:
- Trojan-Ransom.Win32.Gen.ftl
- Trojan-Ransom.Win32.BadRabbit
- DangerousObject.Multi.Generic
- PDM:Trojan.Win32.Generic
- Intrusion.Win.CVE-2017-0147.sa.leak
http://1dnscontrol[.]com/
- install_flash_player.exe
- C:Windowsinfpub.dat
- C:Windowsdispci.exe
style="font-family: Consolas,Monaco,monospace;">
The end of October this year was marked by the emergence of a new virus that actively attacked the computers of corporate and home users. The new virus is an encryptor and is called Bad Rabbit, which means bad rabbit. This virus was used to attack the websites of several Russian funds mass media. Later, the virus was discovered in the information networks of Ukrainian enterprises. There, the information networks of the metro, various ministries, international airports, etc. were attacked. A little later, a similar virus attack was observed in Germany and Turkey, although its activity was significantly lower than in Ukraine and Russia.
A malicious virus is a special plugin that, once it reaches a computer, encrypts its files. After the information has been encrypted, attackers try to obtain rewards from users for decrypting their data.
Spread of the virus
Specialists from the ESET antivirus program laboratory analyzed the algorithm of the virus’s spread path and came to the conclusion that it is a modified virus that was spreading not so long ago, like the Petya virus.
ESET laboratory specialists determined that the malicious plugins were distributed from the resource 1dnscontrol.com and IP address IP5.61.37.209. Several other resources are also associated with this domain and IP, including secure-check.host, webcheck01.net, secureinbox.email, webdefense1.net, secure-dns1.net, firewebmail.com.
Experts have investigated that the owners of these sites have registered many different resources, for example, those through which they are trying to sell counterfeit medicines using spam mailings. ESET specialists do not rule out that it was with the help of these resources, using spam mailings and phishing, that the main cyber attack was carried out.
How does Bad Rabbit virus infection occur?
Specialists from the Computer Forensics Laboratory conducted an investigation into how the virus got onto users’ computers. It was found that in most cases the virus Ransomware Bad Rabbit was distributed as an update to Adobe Flash. That is, the virus did not exploit any vulnerabilities operating system, but was installed by the users themselves, who, unaware of it, approved its installation, thinking that they were updating Adobe plugin Flash. When the virus entered local network, it stole logins and passwords from memory and independently spread to other computer systems.
How hackers extort money
After the ransomware virus has been installed on the computer, it encrypts the stored information. Next, users receive a message indicating that in order to gain access to their data, they must make a payment on a specified site on the darknet. To do this, you first need to install a special Tor browser. In order to unlock the computer, the attackers extort payment in the amount of 0.05 bitcoin. Today, at $5,600 per Bitcoin, that's approximately $280 to unlock a computer. The user is given a time period of 48 hours to make payment. After this period, if the required amount has not been transferred to the attacker’s electronic account, the amount increases.
How to protect yourself from the virus
- To protect yourself from infection by the Bad Rabbit virus, you should block access from the information environment to the above domains.
- For home users, you need to update the current Windows versions and antivirus program. In this case, the malicious file will be detected as a ransomware virus, which will exclude the possibility of its installation on the computer.
- Those users who use the built-in antivirus operating system Windows systems, already have protection against these ransomware. It is implemented in Windows application Defender Antivirus.
- The developers of the antivirus program from Kaspersky Lab advise all users to periodically backup their data. In addition, experts recommend blocking the execution of the files c:\windows\infpub.dat, c:\WINDOWS\cscc.dat, and also, if possible, the use of the WMI service should be prohibited.
Conclusion
Each computer user should remember that cybersecurity should come first when working on the network. Therefore, you should always ensure that only proven products are used. information resources and use carefully email And social media. It is through these resources that various viruses are most often spread. Basic rules of behavior in the information environment will help eliminate problems that arise during a virus attack.
Loading...