Ransomware attacks are on an all-time rise lately. This particular news is about another widespread ransomware campaign that is affecting users around Europe, and about 200 mainstream organizations have already become victims of the attack.
Bad Rabbit ransomware
The ransomware, named as Bad Rabbit, is spreading like wildfire and has targeted corporate networks in Russia, Germany, Ukraine, and Turkey mainly. Organizations that have been targeted so far include Kiev Metro payment systems, Interfax and Fontanka (Russian news agencies), Odessa International Airport and the Ukraine’s Ministry of Infrastructure.
This is a Petya type ransomware that has launched targeted attacks in the past few hours. After successfully compromising the system and encrypting the data, attackers demand 0.05 bitcoin, approx. $285 as ransom to hand over decryption key.
Culprit: Fake Adobe Flash Installers
The campaign was identified by security researchers at Kaspersky Labs on October 24th. In a detailed blog post, Orkhan Mamedov, Fedor Sinitsyn, and Anton Ivanov wrote that Bad Rabbit is distributed through drive-by download attacks and utilizes fake Adobe Flash players installers to trap victims into installing malware.
Bad Rabbit belongs to a relatively new and unknown ransomware family, and its target is achieved without using any exploit. The victim is required to manually execute the ransomware dropper, which is downloaded from the attacker’s infrastructure at hxxp://1dnscontrol[.]com/flash_install.php.
The file downloaded is named install_flash_player.exe. The victim manually launches this file but to operate properly; it requires high-level administrative privileges that are obtained through the standard UAC prompt. When initiated, the file stores the malicious DLL at this location in the computer: C:\Windows\infpub.dat. It is then launched through rundll32 command.
Various compromised websites were identified by Kaspersky researchers, all of which were news and media related sites. The original vector attack was detected in the morning of October 24th, and the attack lasted until midday, but it is an ongoing and active campaign, which is being monitored by Kaspersky researchers. According to their findings, victims are redirected to malware web sources located at authentic and legitimate websites.
ESET security researchers discovered Bad Rabbit malware as another variant of Petya (also known as NotPetya, GoldenEye, Petrwrap, and exPetr) ransomware ,’Win32/Diskcoder.D’. Diskcryptor, which is an open-source full drive encryption software, is used by Bad Rabbit to perform data encryption on infected computers using RSA 2048 keys.
According to ESET researchers, this new campaign does not use EternalBlue exploit but scans the internal network to open SMB (Server Message Block) shares and then uses a hardcoded list of common credentials to drop malware. It also utilizes Mimikatz post-exploitation tool to obtain credentials from infected systems.
Once compromised, the attackers force victims to log into a Tor onion website to pay the ransom within 40 hours, as depicted in the ransom note below:
How to get rid of Bad Rabbit ransomware?
Amit Serper, a security researcher, and malware analyst came up with a “Vaccination for Bad Rabbit” and as confirmed by other security researchers it really works. According to Serper, a victim needs to:
“Create the following files c:\windows\infpub.dat && c:\windows\cscc.dat – remove ALL PERMISSIONS (inheritance) and you are now vaccinated. :)”
I can confirm – Vaccination for #badrabbit:
Create the following files c:windowsinfpub.dat && c:windowscscc.dat – remove ALL PERMISSIONS (inheritance) and you are now vaccinated. :) pic.twitter.com/5sXIyX3QJl— Amit Serper (@0xAmit) October 24, 2017
According to Kaspersky researchers, to protect your computer, you need to disable WMI service which will not let the malware spread to the network. Moreover, users must remain cautious while clicking on attachments and web links sent by unknown senders via emails and avoid downloading software from third-party platforms.
[fullsquaread][/fullsquaread]
