Third major cyberattack in a year. This time a virus with a new name Bad Rabbit and old habits - data encryption and extortion of money for unlocking. And in the affected area are still Russia, Ukraine and some other CIS countries.
The Bad Rabbit acts according to the usual scheme: it sends a phishing email with an attached virus or a link. In particular, attackers may pose as Microsoft technical support and ask them to urgently open an attached file or follow a link. There is another distribution path - a fake Adobe update window Flash Player. In both cases, Bad Rabbit acts in the same way as the sensational not so long ago, it encrypts the victim's data and demands a ransom of 0.05 bitcoin, which is approximately $280 at the exchange rate on October 25, 2017. The victims of the new epidemic were Interfax, the St. Petersburg edition of Fontanka, the Kiev Metro, the Odessa airport and the Ministry of Culture of Ukraine. There is evidence that the new virus tried to attack several well-known Russian banks, but this idea failed. Experts link Bad Rabbit to previous major attacks recorded this year. Proof of this is the similar encryption software Diskcoder.D, and this is the same Petya encryptor, only slightly modified.
How to protect yourself from Bad Rabbit?
Experts recommend owners Windows computers create a file "infpub.dat" and place it in Windows folder on the "C" drive. As a result, the path should look like this: C:\windows\infpub.dat. This can be done using a regular notepad, but with Administrator rights. To do this, we find the link to the Notepad program, right-click and select "Run as Administrator".
Then you just need to save this file to the address C:\windows\, that is, to the Windows folder on the C drive. Filename: infpub.dat, with "dat" being the file extension. Don't forget to replace the default notepad extension "txt" with "dat". After you save the file, open the Windows folder, find the created infpub.dat file, right-click on it and select "Properties", where at the very bottom you need to check "Read Only". Thus, even if you catch the Bad Rabbit virus, it will not be able to encrypt your data.
Preventive measures
Do not forget that you can protect yourself from any virus simply by following certain rules. It sounds trite, but never open letters, and even more so their attachments, if the address seems suspicious to you. Phishing emails, that is, masquerading as other services, are the most frequent way infections. Be careful what you open. If the attached file is called “Important document.docx_______.exe” in the letter, then you definitely should not open this file. In addition, you need to have backup copies of important files. For example, a family archive with photographs or working documents can be duplicated on external drive or cloud storage. Don't forget the importance of using licensed version Windows and install updates regularly. Security patches are released by Microsoft on a regular basis and those who install them do not have problems with such viruses.
Hi all! Just the other day in Russia and Ukraine, Turkey, Germany and Bulgaria, a large-scale hacker attack began with the new Bad Rabbit encryption virus, aka Diskcoder.D. Encryptor on this moment attacks corporate networks of large and medium-sized organizations, blocking all networks. Today we will tell you what this Trojan is and how you can protect yourself from it.
What is a virus?
Bad Rabbit (Bad Rabbit) operates according to the standard scheme for ransomware: when it enters the system, it encodes files for decryption of which hackers require 0.05 bitcoin, which at the rate is $ 283 (or 15,700 rubles). This is reported in a separate window, where you actually need to enter the purchased key. The threat is a Trojan Trojan.Win32.Generic, however, it also contains other components, such as DangerousObject.Multi.Generic And Ransom .Win 32.Gen .ftl.
Bad Rabbit - a new ransomware virus
It is still difficult to completely trace all sources of infection, but experts are now working on this. Presumably, the threat enters the PC through infected sites that are redirected, or under the guise of fake updates for popular plug-ins like Adobe Flash. The list of such sites is only expanding.
Is it possible to remove the virus and how to protect yourself?
It should be said right away that at the moment everything antivirus laboratories began to analyze this Trojan. If you specifically look for information on removing the virus, then it, as such, is not. Let's discard the standard advice right away - make a backup of the system, a point of return, delete such and such files. If you do not have saves, then everything else does not work, hackers have thought through such moments, due to the specification of the virus.
I think that decoders for Bad Rabbit made by amateurs will soon be distributed - whether you follow these programs or not is your own business. As the previous ransomware Petya showed, this helps few people.
But you can prevent the threat and remove it when you try to get into the PC. Kaspersky and ESET labs were the first to react to reports of a virus epidemic, and they are already blocking penetration attempts. Google Browser Chrome has also begun to identify infected resources and warn of their danger. Here's what to do to protect against BadRabbit in the first place:
- If you use Kaspersky, ESET, Dr.Web, or other popular analogues for protection, then you must definitely update the databases. Also, for Kaspersky, you need to enable “Activity Monitoring” (System Watcher), and in ESET, apply signatures with update 16295.
- If you do not use antiviruses, then you need to block the execution of files C:\Windows\infpub.dat And C:\Windows\cscc.dat. This is done through the editor. group policies, or the AppLocker program for Windows.
- Be sure to back up your system. In theory, a copy should always be stored on a removable media. Here is a short video tutorial on how to create it.
It is desirable to disable the execution of the service - Windows Management Instrumentation (WMI). In the top ten, the service is called “Windows Management Instrumentation”. Through right button go into service properties and select in “Startup Type” mode “Disabled”.
Conclusion
In conclusion, it is worth saying the most important thing - you should not pay a ransom, no matter what you have encrypted. Such actions only incite scammers to create new virus attacks. Follow the forums of anti-virus companies, which I hope will soon study the Bad Rabbit virus and find an effective pill. Be sure to follow the steps above to protect your OS. In case of difficulties in their implementation, unsubscribe in the comments.
The Bad Rabbit encryption virus, which Russian media were attacked the day before, also tried to attack Russian banks from the top 20, Group-IB, which investigates and prevents cybercrime, told Forbes. The representative of the company declined to clarify details about attacks on credit institutions, explaining that Group-IB does not disclose information about clients using its intrusion detection system.
According to cybersecurity experts, attempts to infect the infrastructures of Russian banks with the virus took place on October 24 from 13:00 to 15:00 Moscow time. Group-IB believes that cyberattacks have demonstrated better protection for banks compared to companies in the non-banking sector. Earlier, the company announced that new ransomware virus, probably related to the June outbreak of the NotPetya ransomware (this is indicated by coincidences in the code), attacked the Russian media. It was about information systems agency "Interfax", as well as the servers of the St. Petersburg news portal"Fontanka". In addition, the virus hit the systems of the Kyiv Metro, the Ministry of Infrastructure of Ukraine, and the Odessa International Airport. NotPetya hit energy, telecommunications and financial companies mainly in Ukraine this summer. For decrypting files infected bad virus Rabbit, attackers demand 0.05 bitcoins, which at the current exchange rate is approximately equivalent to $283 or 15,700 rubles.
Kaspersky Lab clarified that this time the majority of victims were chosen by hackers in Russia. However, similar attacks were recorded in the company in Ukraine, Turkey and Germany, but "in much smaller numbers." “All signs point to this being a targeted attack on corporate networks. Methods similar to those that we observed in the ExPetr attack are used, however, we cannot confirm the connection with ExPetr,” a company representative said. Forbes' interlocutor added that all Kaspersky Lab products "detect these malicious files as UDS:DangerousObject.Multi.Generic."
How to protect yourself?
To protect against this attack, Kaspersky Lab recommended using an antivirus with KSN enabled and the System Monitor module. "If Kaspersky Lab's security solution is not installed, we recommend disallowing the execution of files with the names c:\windows\infpub.dat and C:\Windows\cscc.dat using system administration tools," advised the head of the anti-virus research department at the Laboratory Kaspersky" Vyacheslav Zakorzhevsky.
Group-IB notes that in order for the virus to not be able to encrypt files, “you need to create the C:\windows\infpub.dat file and set it to read-only”. After that, even if infected, the files will not be encrypted, the company said. At the same time, you need to promptly isolate computers that have been seen sending such malicious files in order to avoid large-scale infection of other computers connected to the network. After that, users need to verify the relevance and integrity backups key network nodes.
When the primary actions are completed, the user is advised to update OS and security systems, while simultaneously blocking IP addresses and domain names from which malicious files were distributed. Group-IB recommends changing all passwords to more complex ones and setting up a pop-up blocker, as well as prohibiting the storage of passwords in LSA Dump in clear text.
Who is behind the BadRabbit attack
In 2017, two largest ransomware epidemics were already recorded - WannaCry (attacked 200,000 computers in 150 countries) and ExPetr. The latter is Petya and at the same time NotPetya, Kaspersky Lab notes. Now, according to the company, "the third begins." The name of the new Bad Rabbit ransomware "is written on a page on the dark web that its creators send to ask for details," the company said. Group-IB believes that Bad Rabbit is a modified version of NotPetya with bug fixes in the encryption algorithm. In particular, the Bad Rabbit code includes blocks that completely repeat NotPetya.
ESET Russia agrees that the Win32/Diskcoder.D malware used in the attack is a modified version of Win32/Diskcoder.C, better known as Petya/NotPetya. As Vitaly Zemskikh, head of sales support at ESET Russia, told Forbes, the attack statistics by country "largely corresponds to the geographical distribution of sites containing malicious JavaScript." Thus, most of the infections occurred in Russia (65%), followed by Ukraine (12.2%), Bulgaria (10.2%), Turkey (6.4%) and Japan (3.8%).
The infection with the Bad Rabbit virus occurred after visiting hacked sites. Hackers loaded a JavaScript injection onto compromised resources in HTML code, which showed visitors a fake window offering to install an Adobe update. Flash player. If the user agreed to the update, then a malicious file named "install_flash_player.exe" was installed on the computer. "Infecting workstation within an organization, the encryptor can be distributed within the corporate network via the SMB protocol. Unlike its Petya/NotPetya predecessor, Bad Rabbit does not use the EthernalBlue exploit - instead, it scans the network for open network resources", - says Zemsky. Next, the Mimikatz tool is launched on the infected machine to collect credentials. In addition, a hard-coded list of logins and passwords is provided.
There is no information about who organized the hacker attacks yet. At the same time, according to Group-IB, the mass attacks of WannaCry and NotPetya, similar in nature, could be associated with hacker groups government funded. Experts draw this conclusion on the basis that the financial benefit from such attacks, compared with the complexity of their implementation, is “negligible”. “Most likely, these were not attempts to make money, but to check the level of protection of networks of critical infrastructure of enterprises, government departments and private companies,” experts conclude. A Group-IB spokesperson confirmed to Forbes that the latest virus - Bad Rabbit - could be a test of the protection of government and business infrastructures. “Yes, it is possible. Considering that the attacks were carried out pointwise - on critical infrastructure objects - the airport, the subway, government agencies, ”the Forbes interlocutor explains.
Answering a question about the perpetrators of the latest attack, ESET Russia emphasizes that using only the tools of an anti-virus company, it is impossible to conduct a high-quality investigation and identify those involved, this is the task of specialists of a different profile. “As an antivirus company, we identify methods and targets of attacks, malicious tools of attackers, vulnerabilities and exploits. The search for the perpetrators, their motives, nationality, and so on is not our responsibility, ”said a company representative, promising to draw conclusions about the appointment of Bad Rabbit based on the results of the investigation. "Unfortunately, in the near future we will see many such incidents - the vector and scenario of this attack have shown high efficiency," ESET Russia forecasts. The interlocutor of Forbes recalls that in 2017 the company predicted an increase in the number of targeted attacks on the corporate sector, primarily on financial organizations (by more than 50%, according to preliminary estimates). “These predictions are now coming true, we are seeing an increase in the number of attacks combined with an increase in damage to affected companies,” he admits.
Yesterday, October 24, 2017, major Russian media, as well as a number of Ukrainian government agencies, unknown intruders. Interfax, Fontanka, and at least one other unnamed online publication were among the victims. Following the media, the problems were also reported by the Odessa International Airport, the Kiev Metro and the Ukrainian Ministry of Infrastructure. According to Group-IB analysts, the criminals also tried to attack banking infrastructures, but these attempts were unsuccessful. ESET specialists, in turn, claim that the attacks affected users from Bulgaria, Turkey and Japan.
As it turned out, disruptions in the work of companies and government agencies were not caused by massive DDoS attacks, but by a ransomware that goes by the name of Bad Rabbit (some experts prefer to write BadRabbit without a space).
Little was known about the malware and its mechanisms yesterday: it was reported that the ransomware was demanding a ransom of 0.05 bitcoins, and Group-IB experts said that the attack had been in preparation for several days. So, two JS scripts were found on the site of the attackers, and, judging by the information from the server, one of them was updated on October 19, 2017.
Now, although less than a day has passed since the attacks began, experts from almost all the leading information security companies in the world have already analyzed the ransomware. So, what is Bad Rabbit, and should we expect a new "ransomware epidemic" like WannaCry or NotPetya?
How did Bad Rabbit manage to disrupt the mainstream media if it was fake updates to Flash? According to ESET , Emsisoft And Fox IT, after infection, the malware used the Mimikatz utility to extract passwords from LSASS, and also had a list of the most common logins and passwords. The malware used all this to spread via SMB and WebDAV to other servers and workstations located on the same network as the infected device. At the same time, experts from the companies listed above and employees of Cisco Talos believe that in this case there was no tool stolen from special services that uses gaps in SMB. Let me remind you that the WannaCry and NotPetya viruses were distributed using this particular exploit.
However, experts still managed to find some similarities between Bad Rabbit and Petya (NotPetya). So, the ransomware does not just encrypt user files using the open-source DiskCryptor, but modifies the MBR (Master Boot Record), after which it reboots the computer and displays a ransom message on the screen.
Although the message with the demands of the attackers is almost identical to the message from the operators of NotPetya, the opinions of experts regarding the connection between Bad Rabbit and NotPetya differ slightly. Thus, Intezer analysts calculated that source malware
Back in the late 80s, the AIDS virus ("PC Cyborg") written by Joseph Popp hid directories and encrypted files, demanding about $200 for a "license renewal". At first, ransomware targeted only ordinary people using computers under Windows control, but now the threat itself has become a serious problem for business: more and more programs appear, they become cheaper and more accessible. Extortion using malware is the main cyber threat in 2/3 of the EU countries. One of the most widespread ransomware viruses, CryptoLocker, has infected more than a quarter of a million computers in the EU since September 2013.
In 2016, the number of ransomware attacks increased dramatically, more than 100 times more than the previous year, according to analysts. This is a growing trend, and, as we have seen, completely different companies and organizations are under attack. The threat is also relevant for non-profit organizations. Since for every major attack malware upgraded and tested by attackers for "passing" through antivirus protection, antiviruses, as a rule, are powerless against them.
On October 12, the Security Service of Ukraine warned of the likelihood of new large-scale cyber attacks on government agencies and private companies, similar to the June epidemic of the encryption virus. Not Petya. According to the Ukrainian intelligence service, "the attack can be carried out using updates, including publicly available application software." Recall that in the case of an attack Not Petya, which the researchers associated with the BlackEnergy group, the first victims were companies using software Ukrainian developer of the document management system "M.E.Doc".
Then, in the first 2 hours, energy, telecommunications and financial companies were attacked: Zaporozhyeoblenergo, Dneproenergo, Dnipro Electric Power System, Mondelez International, Oschadbank, Mars, " New Mail", Nivea, TESA, Kiev Metro, computers of the Cabinet of Ministers and the Government of Ukraine, Auchan stores, Ukrainian operators ("Kyivstar", LifeCell, "UkrTeleCom"), Privatbank, Boryspil airport.
A little earlier, in May 2017, WannaCry ransomware virus attacked 200,000 computers in 150 countries. The virus swept through the networks of universities in China, Renault factories in France and Nissan in Japan, the telecommunications company Telefonica in Spain and the railway operator Deutsche Bahn in Germany. Due to blocked computers in UK clinics, operations had to be postponed, and the regional departments of the Russian Ministry of Internal Affairs could not issue driver's licenses. The researchers said North Korean hackers from Lazarus were behind the attack.
In 2017, encryption viruses reached a new level: the use of tools from the arsenals of American intelligence agencies and new distribution mechanisms by cybercriminals led to international epidemics, the largest of which were WannaCry and NotPetya. Despite the scale of the infection, the ransomware itself collected relatively insignificant amounts - most likely these were not attempts to make money, but to check the level of protection of networks of critical infrastructure of enterprises, government departments and private companies.
Loading...