• Hacking News
    • Leaks
    • WikiLeaks
    • Anonymous
  • Tech
    • Android
    • Apple News
    • BlackBerry
    • Google News
    • Microsoft
    • Motorola
    • Nokia
    • Samsung
    • 3D
  • Cyber Crime
    • Phishing Scam
  • How To
  • Cyber Events
    • Censorship
    • Cyber Attacks
  • Security
    • Malware
  • Surveillance
    • Drones
    • NSA
    • Privacy
  • Explore
    • Gaming
    • Science
    • Viral
HackRead
  • March 9th, 2021
  • Home
  • Advertise
  • Privacy Policy
  • Contact Us
HackRead
  • Hacking News
    • Leaks
    • WikiLeaks
    • Anonymous
  • Tech
    • Android
    • Apple News
    • BlackBerry
    • Google News
    • Microsoft
    • Motorola
    • Nokia
    • Samsung
    • 3D
  • Cyber Crime
    • Phishing Scam
  • How To
  • Cyber Events
    • Censorship
    • Cyber Attacks
  • Security
    • Malware
  • Surveillance
    • Drones
    • NSA
    • Privacy
  • Explore
    • Gaming
    • Science
    • Viral
  • Follow us
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
Home
Security
Malware

Bad Rabbit ransomware spreading like wildfire but there is a way out

October 25th, 2017 Waqas Security, Hacking News, Malware 0 comments
Bad Rabbit ransomware spreading like wildfire but there is a way out
Share on FacebookShare on Twitter

Ransomware attacks are on an all-time rise lately. This particular news is about another widespread ransomware campaign that is affecting users around Europe, and about 200 mainstream organizations have already become victims of the attack.

Bad Rabbit ransomware

The ransomware, named as Bad Rabbit, is spreading like wildfire and has targeted corporate networks in Russia, Germany, Ukraine, and Turkey mainly. Organizations that have been targeted so far include Kiev Metro payment systems, Interfax and Fontanka (Russian news agencies), Odessa International Airport and the Ukraine’s Ministry of Infrastructure.

This is a Petya type ransomware that has launched targeted attacks in the past few hours. After successfully compromising the system and encrypting the data, attackers demand 0.05 bitcoin, approx. $285 as ransom to hand over decryption key.

Culprit: Fake Adobe Flash Installers

The campaign was identified by security researchers at Kaspersky Labs on October 24th. In a detailed blog post, Orkhan Mamedov, Fedor Sinitsyn, and Anton Ivanov wrote that Bad Rabbit is distributed through drive-by download attacks and utilizes fake Adobe Flash players installers to trap victims into installing malware.

Bad Rabbit belongs to a relatively new and unknown ransomware family, and its target is achieved without using any exploit. The victim is required to manually execute the ransomware dropper, which is downloaded from the attacker’s infrastructure at hxxp://1dnscontrol[.]com/flash_install.php.

The file downloaded is named install_flash_player.exe. The victim manually launches this file but to operate properly; it requires high-level administrative privileges that are obtained through the standard UAC prompt. When initiated, the file stores the malicious DLL at this location in the computer: C:\Windows\infpub.dat. It is then launched through rundll32 command.

Various compromised websites were identified by Kaspersky researchers, all of which were news and media related sites. The original vector attack was detected in the morning of October 24th, and the attack lasted until midday, but it is an ongoing and active campaign, which is being monitored by Kaspersky researchers. According to their findings, victims are redirected to malware web sources located at authentic and legitimate websites.

ESET security researchers discovered Bad Rabbit malware as another variant of Petya (also known as NotPetya, GoldenEye, Petrwrap, and exPetr) ransomware ,’Win32/Diskcoder.D’. Diskcryptor, which is an open-source full drive encryption software, is used by Bad Rabbit to perform data encryption on infected computers using RSA 2048 keys.

According to ESET researchers, this new campaign does not use EternalBlue exploit but scans the internal network to open SMB (Server Message Block) shares and then uses a hardcoded list of common credentials to drop malware. It also utilizes Mimikatz post-exploitation tool to obtain credentials from infected systems.

Once compromised, the attackers force victims to log into a Tor onion website to pay the ransom within 40 hours, as depicted in the ransom note below:

Bad Rabbit Ransomware Targeting Corporate Networks Across Europe and Beyond

How to get rid of Bad Rabbit ransomware?

Amit Serper, a security researcher, and malware analyst came up with a “Vaccination for Bad Rabbit” and as confirmed by other security researchers it really works. According to Serper, a victim needs to:

“Create the following files c:\windows\infpub.dat && c:\windows\cscc.dat – remove ALL PERMISSIONS (inheritance) and you are now vaccinated. :)”

I can confirm – Vaccination for #badrabbit:
Create the following files c:windowsinfpub.dat && c:windowscscc.dat – remove ALL PERMISSIONS (inheritance) and you are now vaccinated. :) pic.twitter.com/5sXIyX3QJl

— Amit Serper (@0xAmit) October 24, 2017

According to Kaspersky researchers, to protect your computer, you need to disable WMI service which will not let the malware spread to the network. Moreover, users must remain cautious while clicking on attachments and web links sent by unknown senders via emails and avoid downloading software from third-party platforms.

[fullsquaread][/fullsquaread]

  • Tags
  • Cyber Attack
  • Cyber Crime
  • hacking
  • Infosec
  • internet
  • Malware
  • Petya
  • Privacy
  • Ransomware
  • security
  • Technology
  • WannaCry
Facebook Twitter LinkedIn Pinterest
Previous article FIN7 Spear Phishing Attacks Now Aim At Avoiding Detection
Next article jQuery Blog Gets Hacked - Hackers Compromise CoinHive's DNS
Waqas

Waqas

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Related Posts
European Banking Authority victim in Microsoft Exchange Server hack

European Banking Authority victim in Microsoft Exchange Server hack

FluBot Android malware mimics FedEx, Chrome apps to steal user data

FluBot Android malware mimics FedEx, Chrome apps to steal user data

Microsoft, FireEye report 3 new malware linked to SolarWinds hackers

Microsoft, FireEye report 3 new malware linked to SolarWinds hackers

Newsletter

Get the best stories straight into your inbox!



Don’t worry, we don’t spam

Latest Posts
European Banking Authority victim in Microsoft Exchange Server hack
Hacking News

European Banking Authority victim in Microsoft Exchange Server hack

FluBot Android malware mimics FedEx, Chrome apps to steal user data
Android

FluBot Android malware mimics FedEx, Chrome apps to steal user data

John McAfee Charged with Fraud in Cryptocurrency Scam
Cyber Crime

John McAfee Charged with Fraud in Cryptocurrency Scam

HACKREAD is a News Platform that centers on InfoSec, Cyber Crime, Privacy, Surveillance and Hacking News with full-scale reviews on Social Media Platforms & Technology trends. Founded in 2011, HackRead is based in the United Kingdom.

Follow us