Bad Rabbit ransomware outbreak: what you need to know

When news of the third major ransomware outbreak of the year broke, there was a lot of confusion. Now that the dust has settled, we can investigate what exactly “Bad Rabbit” is.

According to media reports, many computers have been encrypted with this cyber attack. Public sources have confirmed that the computer systems of the Kiev metro along with Odessa airport and numerous other organizations in Russia have been affected. The malware used for this cyberattack was “Disk Coder.D”, a new variant of the ransomware popularly run under the name “Petya”. The previous Disk Coder cyberattack left damage on a global scale in June 2017.

ESET’s telemetry system has reported numerous occurrences of Disk Coder. D within Russia and Ukraine, however, there are detections of this cyberattack on computers from Turkey, Bulgaria, and some other countries as well.

ESET security researchers are currently working on a comprehensive analysis of this malware. According to its preliminary findings, Disk Coder. D uses the Mimikatz tool to extract the credentials of the affected systems. Their findings and analysis are ongoing, and we will keep you posted as soon as more details are revealed.

ESET’s telemetry system also reports that Ukraine accounts for only 12.2% of the total number of times they saw the Bad Rabbit infiltration. Below are the remaining statistics:

Russia: 65%

Ukraine: 12.2%

Bulgaria: 10.2%

Turkey: 6.4%

Japan: 3.8%

Other: 2.4%

Consequently, Bad Rabbit compromised the country distribution. Interestingly, all of these countries were affected at the same time. It is quite likely that the group already had its foot in the network of affected organizations.

It is definitely ransomware

The unfortunate victims of the attack quickly realized what had happened because the ransomware is not subtle: it presents victims with a ransom note telling them that their files are “no longer accessible” and “no one will be able to recover them without us. decryption service “. Victims are directed to a Tor payment page and presented with a countdown timer. Pay within the first 40 hours or so, they are told, and the payment for decrypting files is 0.05 bitcoin, about $ 285. Those who do not pay the ransom before the timer reaches zero are told that the fee will increase and they will have to pay more. The encryption uses DiskCryptor, which is legitimate open source software used for full drive encryption. Keys are generated by CryptGenRandom and then protected by an encrypted RSA 2048 public key.

It is based on Petya / Not Petya

If the ransom note looks familiar, it’s because it’s nearly identical to the one that victims of the Petya outbreak saw in June. The similarities aren’t just cosmetic either: Bad Rabbit also shares behind-the-scenes elements with Petya.

Analysis by Crowdstrike researchers has found that Bad Rabbit and the NotPetya DLL (dynamic link library) share 67 percent of the same code, indicating that the two ransomware variants are closely related, potentially even the work of the same threat actor.

The attack has affected high-profile organizations in Russia and Eastern Europe.

Researchers have found a long list of countries that have fallen victim to the outbreak, including Russia, Ukraine, Germany, Turkey, Poland, and South Korea. Three media organizations in Russia, as well as the Russian news agency Interfax, have declared “hacker attacks” or file encryption malware, which the campaign has taken offline. Other high-profile organizations in the affected regions include Odessa International Airport and the Kiev Metro. This has led Ukraine’s Computer Emergency Response to publish that there had been “the possible start of a new wave of cyberattacks on Ukraine’s information resources.”

May have had selected goals

When WannaCry broke, systems around the world were hit by an apparent indiscriminate attack. Bad Rabbit, on the other hand, could have targeted corporate networks.

ESET researchers have backed this idea, stating that the script injected into infected websites can determine whether the visitor is of interest and then add the content page, if the target is deemed suitable for infection.

It is spread through a fake Flash update on compromised websites.

The main way Bad Rabbit spreads is unauthorized downloads on hacked websites. No exploits are used, instead visitors to compromised websites, some of whom have been compromised since June, are told that they need to install a Flash update. Of course, this is not a Flash update, but an eyedropper for malicious installation. The infected websites, mostly based in Russia, Bulgaria and Turkey, are compromised by having JavaScript injected into their HTML body or one of their .js files.

It can spread laterally through nets.

Like Petya, the Bad Rabbit Ransomware attack contains an SMB component that allows it to move laterally through an infected network and spread without user interaction.

The spread of Bad Rabbit is facilitated by simple username and password combinations that it can exploit to make its way through networks. This list of weak passwords are the easy-to-guess passwords you often see, such as 12345 combinations or having a password set as “password.”

Does not use EternalBlue

When Bad Rabbit first appeared, some suggested that, like WannaCry, it exploited the EternalBlue exploit to spread. However, this does not seem to be the case now. “We currently have no evidence that the EternalBlue exploit is being used to spread the infection,” Martin Lee, Head of Security Research Technician at Talos, told ZDNet.

Contains Game of Thrones references.

Whoever is behind Bad Rabbit appears to be a Game of Thrones fan: the code contains references to Viserion, Drogon and Rhaegal, the dragons that appear in the television series and novels on which it is based. Therefore, the authors of the code are not doing much to change the stereotypical image that hackers are geeks and nerds.

There are steps you can take to stay safe

At this time, no one knows if it is still possible to decrypt files that are locked by Bad Rabbit. Some might suggest paying the ransom and see what happens … Bad idea.

It is quite reasonable to think that paying almost $ 300 is worth paying for what could be very important and invaluable files, but paying the ransom almost never results in regaining access, nor does it aid in the fight against ransomware – an attacker will keep targeting as long as as they see the returns.

Several security vendors say their products protect against Bad Rabbit. But for those who want to be sure that they are not victims of the attack, Kaspersky Lab says that users can block the execution of the file ‘c: windows infpub.dat, C: Windows cscc.dat’. to prevent infection.

Leave a Reply

Your email address will not be published. Required fields are marked *