New ransomware rabbit virus. How does the Bad Rabbit ransomware work, and is there any connection with NotPetya? How to protect yourself from Bad Rabbit

Update 10/27/2017. Assessing the decryption capability. Possibility of file recovery. Verdicts.

What happened?

On Tuesday, October 24, we received notifications of massive attacks using the Bad Rabbit ransomware. Organizations and individual users were affected - mainly in Russia, but there were also reports of victims from Ukraine. Victims see this message:

What is Bad Rabbit?

Bad Rabbit belongs to a previously unknown family of ransomware.

How is it distributed?

The malware is spread using a drive-by attack: the victim visits a legitimate website, and . The criminals did not use , so to get infected the user had to manually run a file disguised as an Adobe Flash installer. However, our analysis confirms that Bad Rabbit used the EternalRomance exploit to spread within corporate networks. The same exploit was used by the ExPetr ransomware.

We have discovered a number of hacked resources - all of them are news portals and media sites.

Who is the attack aimed at?

Most of the victims are in Russia. Similar, but less massive attacks affected other countries - Ukraine, Turkey and Germany. The total number of targets, according to KSN statistics, reaches 200.

When did Kaspersky Lab discover the threat?

We were able to trace the original vector of the attack at its very beginning, on the morning of October 24th. The active phase lasted until noon, although individual attacks were recorded until 19.55 Moscow time. The server from which the Bad rabbit dropper was distributed was shut down that evening.

How is Bad Rabbit different from the ExPetr ransomware? Or is it the same malware?

According to our observations, now we are talking about a targeted attack on corporate networks, its methods are similar to those used during. Moreover, analysis of the Bad Rabbit code demonstrated its marked similarity to the ExPetr code.

Technical details

According to our data, the ransomware will spread through a drive-by attack. The ransomware dropper is downloaded from hxxp://1dnscontrol[.]com/flash_install.php.

Victims are redirected to this malicious resource from legitimate news sites.

The victim must run the downloaded install_flash_player.exe file manually. To function properly, the file requires administrator rights, which it requests through a standard UAC notification. When launched, the malware saves the malicious DLL as C:Windowsinfpub.dat and runs it via rundll32.

Pseudocode of the malicious DLL installation procedure

Apparently, the infpub.dat library brute-forces NTLM credentials to Windows machines with pseudo-random IP addresses.

Hardcoded list of credentials

The infpub.dat library also installs a malicious executable file dispci.exe V C:Windows and creates a task to run it.

Pseudocode of the procedure that creates the task of launching a malicious executable file

Moreover, infpub.dat acts like a typical ransomware: it finds the victim’s data using a built-in list of extensions and encrypts the files with a public 2048-bit RSA key owned by the attackers.

Attackers' public key and list of extensions

Public key parameters:

Public-Key: (2048 bit)
Modulus:
00:e5:c9:43:b9:51:6b:e6:c4:31:67:e7:de:42:55:
6f:65:c1:0a:d2:4e:2e:09:21:79:4a:43:a4:17:d0:
37:b5:1e:8e:ff:10:2d:f3:df:cf:56:1a:30:be:ed:
93:7c:14:d1:b2:70:6c:f3:78:5c:14:7f:21:8c:6d:
95:e4:5e:43:c5:71:68:4b:1a:53:a9:5b:11:e2:53:
a6:e4:a0:76:4b:c6:a9:e1:38:a7:1b:f1:8d:fd:25:
4d:04:5c:25:96:94:61:57:fb:d1:58:d9:8a:80:a2:
1d:44:eb:e4:1f:1c:80:2e:e2:72:52:e0:99:94:8a:
1a:27:9b:41:d1:89:00:4c:41:c4:c9:1b:0b:72:7b:
59:62:c7:70:1f:53:fe:36:65:e2:36:0d:8c:1f:99:
59:f5:b1:0e:93:b6:13:31:fc:15:28:da:ad:1d:a5:
f4:2c:93:b2:02:4c:78:35:1d:03:3c:e1:4b:0d:03:
8d:5b:d3:8e:85:94:a4:47:1d:d5:ec:f0:b7:43:6f:
47:1e:1c:a2:29:50:8f:26:c3:96:d6:5d:66:36:dc:
0b:ec:a5:fe:ee:47:cd:7b:40:9e:7c:1c:84:59:f4:
81:b7:5b:5b:92:f8:dd:78:fd:b1:06:73:e3:6f:71:
84:d4:60:3f:a0:67:06:8e:b5:dc:eb:05:7c:58:ab:
1f:61
Exponent: 65537 (0x10001)

style="font-family: Consolas,Monaco,monospace;">

The dispci.exe executable appears to be based on code from the legitimate DiskCryptor utility. It acts as a disk encryption module and installs a modified bootloader in parallel, blocking the normal boot process of the infected system.

While analyzing samples of this threat, we noticed an interesting detail: apparently, the authors of the malware are fans of “Game of Thrones.” Some lines in the code represent the names of characters from this universe.

Names of dragons from Game of Thrones

Names of characters from Game of Thrones

Encryption scheme

As we already mentioned, Bad Rabbit ransomware encrypts the victim’s files and hard drive. The following algorithms are used for files:

1. AES-128-CBC
2. RSA-2048

This is a typical scheme used by ransomware.

Interestingly, the ransomware lists all running processes and compares the hash on behalf of each process with the list of hashes it has. The hashing algorithm used is similar to the one used by the exPetr malware.

Comparison of Bad Rabbit and ExPetr hashing procedures

Special branch of program execution

Runtime Flag Initialization Procedure

Full list of hashes from process names:

Partitions on the victim's hard drive are encrypted using the dcrypt.sys driver of DiskCryptor (it is loaded into C:Windowscscc.dat). The encryptor sends the necessary IOCTL codes to this driver. Some functions are taken “as is” from the DiskCryptor source code (drv_ioctl.c), while others appear to have been added by the malware’s developers.

Disk partitions are encrypted by the DiskCryptor driver using AES in XTS mode. The password is generated by dispci.exe using the WinAPI CryptGenRandom function and is 32 characters long.

Assessing decryption capability

Our data suggests that Bad rabbit, unlike ExPetr, was not created as a viper (we wrote earlier that the creators of ExPetr are technically unable to decrypt MFT encrypted using GoldenEye). The malware's algorithm assumes that the attackers behind Bad rabbit have the necessary decryption tools.

The data that appears on the infected machine's screen as "personal installation key#1" is an RSA-2048 encrypted and base64 encoded binary structure that contains the following information from the infected system:

Attackers can use their RSA private key to decrypt this structure and send the disk decryption password to the victim.

Please note that the value of the id field that is passed to dispci.exe is simply a 32-bit number used to distinguish between infected computers, and not the AES key for disk encryption, as some reports published on the Internet have said.

During the analysis process, we extracted the password created by the malware under debugging and tried to use it on a locked system after rebooting - the password matched and the download continued.

Unfortunately, it is impossible to decrypt data on disks without an attacker’s RSA-2048 key: symmetric keys are securely generated on the malicious side, which in practice eliminates the possibility of their selection.

However, we discovered a bug in the dispci.exe code: the generated password is not removed from memory, which gives little chance of retrieving it before the dispci.exe process terminates. In the screenshot below, you will notice that while the dc_pass variable (which will be passed to the driver) will be securely erased after use, this is not the case for the rand_str variable, which contains a copy of the password.

Pseudo code for a procedure that generates a password and encrypts disk partitions

File encryption

As we have already written, the Trojan uses a typical file encryption scheme. It generates a random string of 32 bytes in length and uses it in the key derivation algorithm. Unfortunately, the CryptGenRandom function is used to create this string.

Key derivation algorithm

The encrypted password, along with information about the infected system, is written to the Readme file as “personal installation key#2”.

Interesting fact: the malware does not encrypt files with the Read-Only attribute.

Ability to recover files

We found that Bad Rabbit does not delete shadow copies of files after they are encrypted. This means that if the shadow copy service was enabled before the infection and full disk encryption did not occur for some reason, the victim can restore the encrypted files using standard Windows tools or third-party utilities.

Shadow copies unaffected by Bad Rabbit

Kaspersky Lab experts analyze the ransomware in detail to find possible flaws in its cryptographic algorithms.

Kaspersky Lab corporate clients are recommended to:

• check that all mechanisms are turned on according to the recommendations; Separately, make sure that the KSN and “System Monitoring” components are not disabled (they are active by default);
• promptly update anti-virus databases.

This should be enough. But as additional precautions, we recommend:

• prohibit execution of the files C:Windowsinfpub.dat and C:Windowscscc.dat in Kaspersky Endpoint Security.
• configure and enable the "Default Deny" mode in the "Application Launch Control" component in Kaspersky Endpoint Security.

Kaspersky Lab products define this threat as:

• Trojan-Ransom.Win32.Gen.ftl
• Trojan-Ransom.Win32.BadRabbit
• DangerousObject.Multi.Generic
• PDM:Trojan.Win32.Generic
• Intrusion.Win.CVE-2017-0147.sa.leak

http://1dnscontrol[.]com/
- install_flash_player.exe
- C:Windowsinfpub.dat
- C:Windowsdispci.exe

style="font-family: Consolas,Monaco,monospace;">

The Bad Rabbit ransomware virus, which was attacked by Russian media the day before, also tried to attack Russian banks from the top 20, Group-IB, which investigates and prevents cybercrimes, told Forbes. A company representative refused to clarify details about attacks on credit institutions, explaining that Group-IB does not disclose information about clients using its intrusion detection system.

According to cybersecurity experts, attempts to infect the infrastructures of Russian banks with a virus occurred on October 24 from 13:00 to 15:00 Moscow time. Group-IB believes that cyber attacks demonstrated better protection for banks compared to companies in the non-banking sector. Earlier, the company reported that a new ransomware virus, likely related to the June epidemic of the NotPetya ransomware (this is indicated by coincidences in the code), attacked the Russian media. We were talking about the information systems of the Interfax agency, as well as the servers of the St. Petersburg news portal Fontanka. In addition, the virus hit the systems of the Kyiv metro, the Ministry of Infrastructure of Ukraine, and the Odessa International Airport. NotPetya hit energy, telecommunications and financial companies primarily in Ukraine over the summer. For decrypting files infected with the BadRabbit virus, attackers demand 0.05 bitcoin, which at the current exchange rate is approximately equivalent to $283 or 15,700 rubles.

Kaspersky Lab clarified that this time the hackers chose most of the victims in Russia. However, the company recorded similar attacks in Ukraine, Turkey and Germany, but “in significantly smaller numbers.” “All signs point to this being a targeted attack on corporate networks. Methods similar to those we observed in the ExPetr attack are used, but we cannot confirm the connection with ExPetr,” a company representative said. The Forbes source added that all Kaspersky Lab products “detect these malicious files as UDS:DangerousObject.Multi.Generic.”

How to protect yourself?

In order to protect against this attack, Kaspersky Lab recommended using an antivirus with KSN enabled and the System Monitoring module. “If a Kaspersky Lab security solution is not installed, we recommend blocking the execution of files named c:\windows\infpub.dat and C:\Windows\cscc.dat using system administration tools,” advised the head of the anti-virus research department at the Laboratory Kaspersky" Vyacheslav Zakorzhevsky.

Group-IB notes that to prevent the virus from encrypting files, “you must create the file C:\windows\infpub.dat and give it read-only rights.” After this, even if infected, the files will not be encrypted, the company said. At the same time, it is necessary to quickly isolate computers that have been detected sending such malicious files in order to avoid large-scale infection of other computers connected to the network. After this, users need to ensure that the backup copies of key network nodes are up-to-date and intact.

When the initial steps are completed, the user is advised to update the operating systems and security systems, while simultaneously blocking the IP addresses and domain names from which malicious files were distributed. Group-IB recommends changing all passwords to more complex ones and blocking pop-up windows, as well as prohibiting storing passwords in clear text in LSA Dump.

Who is behind the BadRabbit attack

In 2017, two major ransomware epidemics were already recorded - WannaCry (attacked 200,000 computers in 150 countries) and ExPetr. The latter is Petya and at the same time NotPetya, Kaspersky Lab notes. Now, according to the company, “the third is beginning.” The name of the new Bad Rabbit ransomware virus “is written on a page on the darknet, to which its creators send for clarification of details,” the company clarifies. Group-IB believes that Bad Rabbit is a modified version of NotPetya with errors in the encryption algorithm corrected. In particular, the Bad Rabbit code includes blocks that are completely identical to NotPetya.

ESET Russia agrees that the malware used in the attack, “Win32/Diskcoder.D,” is a modified version of “Win32/Diskcoder.C,” better known as Petya/NotPetya. As Vitaly Zemskikh, head of sales support at ESET Russia, explained in a conversation with Forbes, the statistics of attacks by country “largely corresponds to the geographical distribution of sites containing malicious JavaScript.” Thus, the majority of infections occurred in Russia (65%), followed by Ukraine (12.2%), Bulgaria (10.2%), Turkey (6.4%) and Japan (3.8%).

Infection with the Bad Rabbit virus occurred after visiting hacked sites. Hackers loaded the compromised resources with a JavaScript injection into the HTML code, which showed visitors a fake window prompting them to install an Adobe Flash player update. If the user agreed to the update, a malicious file named “install_flash_player.exe” was installed on the computer. “Having infected a workstation in an organization, the encryptor can spread within the corporate network via the SMB protocol. Unlike its predecessor Petya/NotPetya, Bad Rabbit does not use the EthernalBlue exploit - instead, it scans the network for open network resources,” says Zemskikh. Next, the Mimikatz tool is launched on the infected machine to collect credentials. In addition, there is a hard-coded list of logins and passwords.

There is no information yet about who organized the hacker attacks. At the same time, according to Group-IB, similar mass attacks WannaCry and NotPetya could be associated with hacker groups funded by states. Experts draw this conclusion on the basis that the financial benefits of such attacks are “negligible” compared to the complexity of their implementation. “Most likely, these were not attempts to make money, but to test the level of protection of critical infrastructure networks of enterprises, government agencies and private companies,” experts conclude. A representative of Group-IB confirmed to Forbes that the latest virus - Bad Rabbit - may turn out to be a test of the protection of infrastructures of government departments and businesses. “Yes, it is not excluded. Considering that the attacks were carried out in a targeted manner - on critical infrastructure facilities - the airport, the metro, government agencies,” explains Forbes’ interlocutor.

Answering the question about those responsible for the latest attack, ESET Russia emphasizes that using only the tools of an antivirus company, it is impossible to conduct a high-quality investigation and identify those involved; this is the task of specialists of a different profile. “As an antivirus company, we identify methods and targets of attacks, malicious tools of attackers, vulnerabilities and exploits. Finding the culprits, their motives, nationality, etc. is not our responsibility,” said a company representative, promising to draw conclusions about the appointment of Bad Rabbit based on the results of the investigation. “Unfortunately, in the near future we will see many similar incidents - the vector and scenario of this attack have shown high efficiency,” ESET Russia predicts. Forbes' interlocutor recalls that for 2017 the company predicted an increase in the number of targeted attacks on the corporate sector, primarily on financial organizations (by more than 50%, according to preliminary estimates). “These predictions are now coming true, we are seeing an increase in the number of attacks coupled with an increase in damage to the affected companies,” he admits.

The end of October this year was marked by the emergence of a new virus that actively attacked the computers of corporate and home users. The new virus is an encryptor and is called Bad Rabbit, which means bad rabbit. This virus was used to attack the websites of several Russian media outlets. Later, the virus was discovered in the information networks of Ukrainian enterprises. There, the information networks of the metro, various ministries, international airports, etc. were attacked. A little later, a similar virus attack was observed in Germany and Turkey, although its activity was significantly lower than in Ukraine and Russia.

A malicious virus is a special plugin that, once it reaches a computer, encrypts its files. After the information has been encrypted, attackers try to obtain rewards from users for decrypting their data.

Spread of the virus

Experts from the ESET antivirus program laboratory analyzed the algorithm of the virus’s spread path and came to the conclusion that it is a modified virus that was spreading not so long ago, like the Petya virus.

ESET laboratory specialists determined that the malicious plugins were distributed from the resource 1dnscontrol.com and IP address IP5.61.37.209. Several other resources are also associated with this domain and IP, including secure-check.host, webcheck01.net, secureinbox.email, webdefense1.net, secure-dns1.net, firewebmail.com.

Experts have investigated that the owners of these sites have registered many different resources, for example, those through which they are trying to sell counterfeit medicines using spam mailings. ESET specialists do not rule out that it was with the help of these resources, using spam mailings and phishing, that the main cyber attack was carried out.

How does Bad Rabbit virus infection occur?

Specialists from the Computer Forensics Laboratory conducted an investigation into how the virus got onto users’ computers. It was discovered that in most cases, the Bad Rabbit ransomware virus was distributed as an update to Adobe Flash. That is, the virus did not exploit any operating system vulnerabilities, but was installed by users themselves, who, unknowingly, approved its installation, thinking that they were updating the Adobe Flash plugin. When the virus entered the local network, it stole logins and passwords from memory and independently spread to other computer systems.

How hackers extort money

After the ransomware virus has been installed on the computer, it encrypts the stored information. Next, users receive a message indicating that in order to gain access to their data, they must make a payment on a specified site on the darknet. To do this, you first need to install a special Tor browser. In order to unlock the computer, the attackers extort payment in the amount of 0.05 bitcoin. Today, at $5,600 per Bitcoin, that's approximately $280 to unlock a computer. The user is given a time period of 48 hours to make payment. After this period, if the required amount has not been transferred to the attacker’s electronic account, the amount increases.

How to protect yourself from the virus

1. To protect yourself from infection by the Bad Rabbit virus, you should block access from the information environment to the above domains.
2. For home users, you need to update the current version of Windows and your antivirus program. In this case, the malicious file will be detected as a ransomware virus, which will exclude the possibility of its installation on the computer.
3. Those users who use the built-in antivirus of the Windows operating system already have protection against these ransomware. It is implemented in the Windows Defender Antivirus application.
4. The developers of the antivirus program from Kaspersky Lab advise all users to periodically backup their data. In addition, experts recommend blocking the execution of the files c:\windows\infpub.dat, c:\WINDOWS\cscc.dat, and also, if possible, the use of the WMI service should be prohibited.

Conclusion

Each computer user should remember that cybersecurity should come first when working on the network. Therefore, you should always ensure that you use only trusted information resources and use email and social networks carefully. It is through these resources that various viruses are most often spread. Basic rules of behavior in the information environment will help eliminate problems that arise during a virus attack.

Greetings, dear visitors and guests of this blog! Today another ransomware virus has appeared in the world named: “ Bad Rabbit» — « Evil bunny". This is the third high-profile ransomware in 2017. The previous ones were and (aka NotPetya).

Bad Rabbit - Who has already suffered and is asking for a lot of money?

So far, several Russian media outlets have allegedly suffered from this ransomware - among them Interfax and Fontanka. Odessa Airport also reports a hacker attack - possibly related to the same Bad Rabbit.

For file decryption, the attackers demand 0.05 bitcoin, which at the current exchange rate is approximately equivalent to 283 dollars or 15,700 rubles.

The results of Kaspersky Lab's research indicate that the attack does not use exploits. Bad Rabbit spreads through infected websites: users download a fake Adobe Flash installer, manually run it, and thereby infect their computers.

According to Kaspersky Lab, experts are investigating this attack and are looking for ways to combat it, as well as looking for the possibility of decrypting files affected by the ransomware.

Most of the victims of the attack are in Russia. It is also known that similar attacks occur in Ukraine, Turkey and Germany, but in much smaller numbers. Cryptographer Bad Rabbit is spreading through a number of infected Russian media sites.

Kapersky Lab believes that all signs point to this being a targeted attack on corporate networks. Methods similar to those we observed in the ExPetr attack are used, but we cannot confirm the connection with ExPetr.

It is already known that Kaspersky Lab products detect one of the malware components using the Kaspersky Security Network cloud service as UDS:DangerousObject.Multi.Generic, and also using System Watcher as PDM:Trojan.Win32.Generic.

How to protect yourself from the Bad Rabbit virus?

To avoid becoming a victim of the new “Bad Bunny” epidemic, “ Kaspersky Lab"We recommend doing the following:

If you have Kaspersky Anti-Virus installed, then:

• Check whether the Kaspersky Security Network and Activity Monitor (aka System Watcher) components are enabled in your security solution. If not, be sure to turn it on.

For those who do not have this product:

• Block execution of the file c:\windows\infpub.dat, C:\Windows\cscc.dat. This can be done via .
• Disable (if possible) the use of the WMI service.

Another very important piece of advice from me:

Always do backup (backup - backup copy ) files that are important to you. On removable media, in cloud services! This will save your nerves, money and time!

I wish you not to catch this infection on your PC. Have a clean and safe Internet!

Yesterday, October 24, 2017, large Russian media, as well as a number of Ukrainian government agencies, were attacked by unknown attackers. Among the victims were Interfax, Fontanka and at least one other unnamed online publication. Following the media, Odessa International Airport, the Kiev Metro and the Ukrainian Ministry of Infrastructure also reported problems. According to a statement by Group-IB analysts, criminals also tried to attack banking infrastructures, but these attempts were unsuccessful. ESET specialists, in turn, claim that the attacks affected users from Bulgaria, Turkey and Japan.

As it turned out, disruptions in the work of companies and government agencies were caused not by massive DDoS attacks, but by a ransomware called Bad Rabbit (some experts prefer to write BadRabbit without a space).

Yesterday, little was known about the malware and the mechanisms of its operation: it was reported that the ransomware was demanding a ransom of 0.05 bitcoin, and Group-IB experts also said that the attack had been in preparation for several days. Thus, two JS scripts were discovered on the attackers’ website, and, judging by information from the server, one of them was updated on October 19, 2017.

Now, although not even a day has passed since the start of the attacks, the analysis of the ransomware has already been carried out by specialists from almost all the leading information security companies in the world. So, what is Bad Rabbit, and should we expect a new “ransomware epidemic” like WannaCry or NotPetya?

How did Bad Rabbit manage to cause major media outages when it was all about fake Flash updates? According to ESET , Emsisoft And Fox-IT, after infection, the malware used the Mimikatz utility to extract passwords from LSASS, and also had a list of the most common logins and passwords. The malware used all this to spread via SMB and WebDAV to other servers and workstations located on the same network as the infected device. At the same time, experts from the companies listed above and Cisco Talos employees believe that in this case there was no need for a tool stolen from intelligence services that exploited flaws in SMB. Let me remind you that the WannaCry and NotPetya viruses were spread using this particular exploit.

However, experts still managed to find some similarities between Bad Rabbit and Petya (NotPetya). Thus, the ransomware not only encrypts user files using open source DiskCryptor, but modifies the MBR (Master Boot Record), after which it reboots the computer and displays a ransom message on the screen.

Although the message with the attackers' demands is almost identical to the message from the NotPetya operators, experts have slightly different opinions regarding the connection between Bad Rabbit and NotPetya. Thus, analysts at Intezer calculated that the source code of the malware