#BadRabbit #Ransomware outbreak in Eastern Europe

Posted on 2017-10-25 by guenni

[German]Urgent warning to all administrators in corporate environments. Eastern Europe has been hit by an outbreak of BadRabbit ransomware campaign. Affected are Windows systems and networks in corporate environments. It's similar to the NotPetya infection in early summer this year. Possibly a Killswitch has been found.

Advertising

In summer 2017 we have had a NotPetya ransomware infection spreading from Ukraine (see News about (Not)Petya ransomware – Killswitch/vaccine found?WannaCry Clone). A few days ago I've warned about a possible new infection with a NotPetya like ransomware (the blog post is only in German Warnung vor neuem NotPetya-ähnlichem Cyber-Angriff). Now it seems that this scenarios is happens.

BadRabbit ransomware outbreak

Bleeping Computer reported about BadRabbit ransomware, spreading since a few hours in several Eastern European countries. Both government agencies and private companies are affected. Currently, the infection is probably spreading in countries such as Russia, Ukraine, Bulgaria and Turkey.

Confirmed victims include Odessa airport in Ukraine, the metro system of Kiev in Ukraine, the Ukrainian Ministry of Infrastructure and three Russian news agencies, including Interfax and Fontanka. The Ukrainian CERT team has issued a warning message and warns Ukrainian companies of this new outbreak.

Distribution via fake flash update

Antivirus vendor wrote in a Tweet, that the initial distribution was made via a fake Flash update.

Advertising

Also security researcher from Proofpoint confirms this finding, tweeting that BadRabbit was initially distributes via a fake Flash update.

Proofpoint wrote, that the ransomware comes with 'tools' to infect other computers via network.

A few details

Based of first analysis ob ESET, Emsisoft. and Fox-IT, BadRabbit uses Mimikatz, to extract credentials from the system's local memory, but also has fixed coded access codes. The Ransomware tries to spread via additional servers and workstations via network.

Ransomware probably uses DiskCryptor (an open source encryption software) to encrypt the files (was used in the attack on the San Francisco suburban transport system, see ÖPNV-Hack in San Franzisko). As soon as Bad Rabbit has finished the infection, it restarts the user's PC. The modified Master Boot Record (MBR) contains code that indicates a ransom request.

The victim is required to access a page in the Tor network. There he is asked to pay a ransom of 0.05 Bitcoin (approx. $280). The victims have a little more than 40 hours until the ransom money goes up. The ransom demand is almost identical to the one used by NotPetya in the June outbreak. Nevertheless, there is little resemblance to NotPetya. Security researcher Intezer claims that there is only 13% match of code between Bad Rabbit and NotPetya.

More details

Malwarebytes has published this blog post with further details. Here is the message shown after the infection.

Bad Rabbit Meldung

And this is the Tor network's website, where victims can find more information. The counter with the remaining time appears there before the price of the ransom .

Bad Rabbit Tor-Seite

The infection starts with a PE file (the fake Flash Player update). Then a file infpub.dat comes into the game (similar to NotPetya), which exports two functions as a DLL. The first one contains the dropper that distributes the malware (infector) to other computers in the LAN. Among other things, WMIC is used to deploy the modules on remote computers. The responsible code is similar to the elements of Petya/NotPetya.

Then, an attempt is made to obtain logon data (credentials) for other machines from memory using a Mimikatz module. At the same time, this module has a hard coded list of generic logon data, which is also tested to access other network shares.

Anmeldedaten

There is no Eternal Blue exploit required to spread to other machines (SMB and WMIC are sufficient, if the credentials are known). After successful infection, files are encrypted via a DLL using the Windows Crypto API. The following directories are omitted.

\\Windows
\\Program Files
\\ProgramData
\\AppData

At Pastbin is a document naming the file names of encrypted files. ESET writes at welivesecurity.com, that there is another infection method, using a drive-by-download via watering holes. Some frequently web sites seems to be infected and contains JavaScript in HTML body or injected in js files. Update: Here are a list of affected media sites:

ESET wrote, that the Win32/Diskcoder.D named malware will spread via SMB – but not using EthernalBlue exploit. ESET has published the following infection statistics:

  • Russia: 65%
  • Ukraine: 12.2%
  • Bulgaria: 10.2%
  • Turkey: 6.4%
  • Japan: 3.8%
  • Other: 2.4%

The infection is still limited to Eastern Europe and Japan. US-CERT now offers this warning.

Possible kill switch found

In the meantime, security researchers have allegedly also found ways to prevent the spread of the malware on Windows computers. In this Tweet some solutions has to be proposed.

Just create the following files and withdraw access rights:

c:\windows\infpub.dat
c:\windows\cscc.dat

This means that the malware can no longer access its export DLL and the control file. The information can be found in this blog post, where detailed instructions are given. Another user specifies the following files to stop an infection.

%windir%\infpub.dat
%windir%\dispci.exe

But I haven't tested this methods.

Cookies helps to fund this blog: Cookie settings
Advertising

This entry was posted in Security, Windows and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *