[German]Urgent warning to all administrators in corporate environments. Eastern Europe has been hit by an outbreak of BadRabbit ransomware campaign. Affected are Windows systems and networks in corporate environments. It’s similar to the NotPetya infection in early summer this year. Possibly a Killswitch has been found.
In summer 2017 we have had a NotPetya ransomware infection spreading from Ukraine (see News about (Not)Petya ransomware – Killswitch/vaccine found?WannaCry Clone). A few days ago I’ve warned about a possible new infection with a NotPetya like ransomware (the blog post is only in German Warnung vor neuem NotPetya-ähnlichem Cyber-Angriff). Now it seems that this scenarios is happens.
BadRabbit ransomware outbreak
Bleeping Computer reported about BadRabbit ransomware, spreading since a few hours in several Eastern European countries. Both government agencies and private companies are affected. Currently, the infection is probably spreading in countries such as Russia, Ukraine, Bulgaria and Turkey.
Confirmed victims include Odessa airport in Ukraine, the metro system of Kiev in Ukraine, the Ukrainian Ministry of Infrastructure and three Russian news agencies, including Interfax and Fontanka. The Ukrainian CERT team has issued a warning message and warns Ukrainian companies of this new outbreak.
Distribution via fake flash update
Antivirus vendor wrote in a Tweet, that the initial distribution was made via a fake Flash update.
— Jiri Kropac (@jiriatvirlab) 24. Oktober 2017
Also security researcher from Proofpoint confirms this finding, tweeting that BadRabbit was initially distributes via a fake Flash update.
— Darien Huss (@darienhuss) 24. Oktober 2017
Proofpoint wrote, that the ransomware comes with ‘tools’ to infect other computers via network.
A few details
Based of first analysis ob ESET, Emsisoft. and Fox-IT, BadRabbit uses Mimikatz, to extract credentials from the system’s local memory, but also has fixed coded access codes. The Ransomware tries to spread via additional servers and workstations via network.
Ransomware probably uses DiskCryptor (an open source encryption software) to encrypt the files (was used in the attack on the San Francisco suburban transport system, see ÖPNV-Hack in San Franzisko). As soon as Bad Rabbit has finished the infection, it restarts the user’s PC. The modified Master Boot Record (MBR) contains code that indicates a ransom request.
— Group-IB (@GroupIB_GIB) 24. Oktober 2017
The victim is required to access a page in the Tor network. There he is asked to pay a ransom of 0.05 Bitcoin (approx. $280). The victims have a little more than 40 hours until the ransom money goes up. The ransom demand is almost identical to the one used by NotPetya in the June outbreak. Nevertheless, there is little resemblance to NotPetya. Security researcher Intezer claims that there is only 13% match of code between Bad Rabbit and NotPetya.
Malwarebytes has published this blog post with further details. Here is the message shown after the infection.
And this is the Tor network’s website, where victims can find more information. The counter with the remaining time appears there before the price of the ransom .
The infection starts with a PE file (the fake Flash Player update). Then a file infpub.dat comes into the game (similar to NotPetya), which exports two functions as a DLL. The first one contains the dropper that distributes the malware (infector) to other computers in the LAN. Among other things, WMIC is used to deploy the modules on remote computers. The responsible code is similar to the elements of Petya/NotPetya.
Then, an attempt is made to obtain logon data (credentials) for other machines from memory using a Mimikatz module. At the same time, this module has a hard coded list of generic logon data, which is also tested to access other network shares.
There is no Eternal Blue exploit required to spread to other machines (SMB and WMIC are sufficient, if the credentials are known). After successful infection, files are encrypted via a DLL using the Windows Crypto API. The following directories are omitted.
— Group-IB (@GroupIB_GIB) 24. Oktober 2017
ESET wrote, that the Win32/Diskcoder.D named malware will spread via SMB – but not using EthernalBlue exploit. ESET has published the following infection statistics:
- Russia: 65%
- Ukraine: 12.2%
- Bulgaria: 10.2%
- Turkey: 6.4%
- Japan: 3.8%
- Other: 2.4%
The infection is still limited to Eastern Europe and Japan. US-CERT now offers this warning.
Possible kill switch found
In the meantime, security researchers have allegedly also found ways to prevent the spread of the malware on Windows computers. In this Tweet some solutions has to be proposed.
I can confirm – Vaccination for #badrabbit:
Create the following files c:\windows\infpub.dat && c:\windows\cscc.dat – remove ALL PERMISSIONS (inheritance) and you are now vaccinated. :) pic.twitter.com/5sXIyX3QJl
— Amit Serper (@0xAmit) October 24, 2017
Just create the following files and withdraw access rights:
This means that the malware can no longer access its export DLL and the control file. The information can be found in this blog post, where detailed instructions are given. Another user specifies the following files to stop an infection.
But I haven’t tested this methods.