{"id":4126,"date":"2017-10-25T10:02:46","date_gmt":"2017-10-25T08:02:46","guid":{"rendered":"http:\/\/borncity.com\/win\/?p=4126"},"modified":"2022-09-23T00:31:24","modified_gmt":"2022-09-22T22:31:24","slug":"badrabbit-ransomware-outbreak-in-eastern-europe","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2017\/10\/25\/badrabbit-ransomware-outbreak-in-eastern-europe\/","title":{"rendered":"#BadRabbit #Ransomware outbreak in Eastern Europe"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline\" src=\"http:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2015\/01\/Schutz.jpg\" width=\"40\" align=\"left\" height=\"47\">[<a href=\"http:\/\/www.borncity.com\/blog\/2017\/10\/25\/achtung-badrabbit-ransomware-ausbruch-in-osteuropa\/\" target=\"_blank\" rel=\"noopener\">German<\/a>]Urgent warning to all administrators in corporate environments. Eastern Europe has been hit by an outbreak of BadRabbit ransomware campaign. Affected are Windows systems and networks in corporate environments. It's similar to the NotPetya infection in early summer this year. Possibly a Killswitch has been found.<\/p>\n<p><!--more--><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" alt=\"\" src=\"https:\/\/ssl-vg03.met.vgwort.de\/na\/c02305abdcf14fd585959c4ea226b3ef\" width=\"1\" height=\"1\">In summer 2017 we have had a NotPetya ransomware infection spreading from Ukraine (see <a href=\"https:\/\/borncity.com\/win\/2017\/06\/28\/news-about-notpetya-ransomware-killswitch-found\/\">News about (Not)Petya ransomware \u2013 Killswitch\/vaccine found?<\/a><a href=\"http:\/\/www.borncity.com\/blog\/2017\/06\/30\/wannacry-clone-ransomware-befllt-systeme-in-der-ukraine\/\">WannaCry Clone<\/a>). A few days ago I've warned about a possible new infection with a NotPetya like ransomware (the blog post is only in German <a href=\"http:\/\/www.borncity.com\/blog\/2017\/10\/16\/warnung-vor-neuem-notpetya-hnlichem-cyber-angriff\/\">Warnung vor neuem NotPetya-\u00e4hnlichem Cyber-Angriff<\/a>). Now it seems that this scenarios is happens.<\/p>\n<h2>BadRabbit ransomware outbreak<\/h2>\n<p>Bleeping Computer <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/bad-rabbit-ransomware-outbreak-hits-eastern-europe\/\" target=\"_blank\" rel=\"noopener\">reported<\/a> about BadRabbit ransomware, spreading since a few hours in several Eastern European countries. Both government agencies and private companies are affected. Currently, the infection is probably spreading in countries such as Russia, Ukraine, Bulgaria and Turkey.<\/p>\n<p>Confirmed victims include Odessa airport in Ukraine, the metro system of Kiev in Ukraine, the Ukrainian Ministry of Infrastructure and three Russian news agencies, including Interfax and Fontanka. The Ukrainian CERT team has issued a warning message and warns Ukrainian companies of this new outbreak.<\/p>\n<h2>Distribution via fake flash update<\/h2>\n<p>Antivirus vendor wrote in a <a href=\"https:\/\/twitter.com\/jiriatvirlab\/status\/922835700873158661\" rel=\"noopener\" target=\"_blank\">Tweet<\/a>, that the initial distribution was made via a fake Flash update.<\/p>\n<blockquote class=\"twitter-tweet\" data-lang=\"de\">\n<p lang=\"en\" dir=\"ltr\"><a href=\"https:\/\/twitter.com\/hashtag\/ESET?src=hash&amp;ref_src=twsrc%5Etfw\">#ESET<\/a> confirms Discoder\/<a href=\"https:\/\/twitter.com\/hashtag\/Petya?src=hash&amp;ref_src=twsrc%5Etfw\">#Petya<\/a>\/<a href=\"https:\/\/twitter.com\/hashtag\/BadRabbit?src=hash&amp;ref_src=twsrc%5Etfw\">#BadRabbit<\/a> campaign live today, incorporating <a href=\"https:\/\/twitter.com\/hashtag\/Mimikatz?src=hash&amp;ref_src=twsrc%5Etfw\">#Mimikatz<\/a> distribuded via fake flash. More info soon. <a href=\"https:\/\/t.co\/lUpkmdG2ox\">pic.twitter.com\/lUpkmdG2ox<\/a><\/p>\n<p>\u2014 Jiri Kropac (@jiriatvirlab) <a href=\"https:\/\/twitter.com\/jiriatvirlab\/status\/922835700873158661?ref_src=twsrc%5Etfw\">24. Oktober 2017<\/a><\/p>\n<\/blockquote>\n<p><span id=\"preserveaf7abd2a083f47b588e04a71f1aae8c5\" class=\"wlWriterPreserve\"><SCRIPT charset=\"utf-8\" src=\"\/\/platform.twitter.com\/widgets.js\" async><\/SCRIPT><\/span> <\/p>\n<p>Also security researcher from Proofpoint <a href=\"https:\/\/twitter.com\/darienhuss\/status\/922847966767042561\" rel=\"noopener\" target=\"_blank\">confirms this<\/a> finding, tweeting that BadRabbit was initially distributes via a fake Flash update.<\/p>\n<blockquote class=\"twitter-tweet\" data-lang=\"de\">\n<p lang=\"en\" dir=\"ltr\"><a href=\"https:\/\/twitter.com\/hashtag\/BadRabbit?src=hash&amp;ref_src=twsrc%5Etfw\">#BadRabbit<\/a> was spread by a fake Adobe Flash Player installer hosted here: 1dnscontrol[.]com, found by <a href=\"https:\/\/twitter.com\/ESET?ref_src=twsrc%5Etfw\">@ESET<\/a> <a href=\"https:\/\/t.co\/2z8g3tmzMe\">https:\/\/t.co\/2z8g3tmzMe<\/a><\/p>\n<p>\u2014 Darien Huss (@darienhuss) <a href=\"https:\/\/twitter.com\/darienhuss\/status\/922847966767042561?ref_src=twsrc%5Etfw\">24. Oktober 2017<\/a><\/p>\n<\/blockquote>\n<p><span id=\"preservee0500c40951047b1b5477f9bf1b07e70\" class=\"wlWriterPreserve\"><SCRIPT charset=\"utf-8\" src=\"\/\/platform.twitter.com\/widgets.js\" async><\/SCRIPT><\/span> <\/p>\n<p>Proofpoint wrote, that the ransomware comes with 'tools' to infect other computers via network. <\/p>\n<h2>A few details<\/h2>\n<p>Based of first analysis ob <a href=\"https:\/\/twitter.com\/jiriatvirlab\/status\/922835700873158661\" rel=\"noopener\" target=\"_blank\">ESET<\/a>, <a href=\"https:\/\/twitter.com\/fwosar\/status\/922865068169138176\" rel=\"noopener\" target=\"_blank\">Emsisoft<\/a>. and <a href=\"https:\/\/twitter.com\/MaartenVDantzig\/status\/922854232176422912\" rel=\"noopener\" target=\"_blank\">Fox-IT<\/a>, BadRabbit uses Mimikatz, to extract credentials from the system's local memory, but also has fixed coded access codes. The Ransomware tries to spread via additional servers and workstations via network.<\/p>\n<p>Ransomware probably uses DiskCryptor (an open source encryption software) to encrypt the files (was used in the attack on the San Francisco suburban transport system, see <a href=\"http:\/\/www.borncity.com\/blog\/2016\/11\/28\/pnv-hack-in-san-franzisko\/\" target=\"_blank\" rel=\"noopener\">\u00d6PNV-Hack in San Franzisko<\/a>). As soon as Bad Rabbit has finished the infection, it restarts the user's PC. The modified Master Boot Record (MBR) contains code that indicates a ransom request.<\/p>\n<blockquote class=\"twitter-tweet\" data-lang=\"de\">\n<p lang=\"en\" dir=\"ltr\"><a href=\"https:\/\/twitter.com\/hashtag\/BadRabbit?src=hash&amp;ref_src=twsrc%5Etfw\">#BadRabbit<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/cryptor?src=hash&amp;ref_src=twsrc%5Etfw\">#cryptor<\/a> attacked a number of Russia's major media. <a href=\"https:\/\/twitter.com\/interfax_news?ref_src=twsrc%5Etfw\">@interfax_news<\/a> <a href=\"https:\/\/t.co\/5iLNs131Ml\">pic.twitter.com\/5iLNs131Ml<\/a><\/p>\n<p>\u2014 Group-IB (@GroupIB_GIB) <a href=\"https:\/\/twitter.com\/GroupIB_GIB\/status\/922819835494649856?ref_src=twsrc%5Etfw\">24. Oktober 2017<\/a><\/p>\n<\/blockquote>\n<p><span id=\"preserve8068b15497d245cbb07c63d783c3d6d3\" class=\"wlWriterPreserve\"><SCRIPT charset=\"utf-8\" src=\"\/\/platform.twitter.com\/widgets.js\" async><\/SCRIPT><\/span> <\/p>\n<p>The victim is required to access a page in the Tor network. There he is asked to pay a ransom of 0.05 Bitcoin (approx. $280). The victims have a little more than 40 hours until the ransom money goes up. The ransom demand is almost identical to the one used by NotPetya in the June outbreak. Nevertheless, there is little resemblance to NotPetya. Security researcher Intezer claims that there is only 13% match of code between Bad Rabbit and NotPetya. <\/p>\n<h2>More details<\/h2>\n<p>Malwarebytes has published <a href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2017\/10\/badrabbit-closer-look-new-version-petyanotpetya\/\" rel=\"noopener\" target=\"_blank\">this blog post<\/a> with further details. Here is the message shown after the infection.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" title=\"Bad Rabbit Meldung\" class=\"alignnone\" alt=\"Bad Rabbit Meldung\" src=\"https:\/\/web.archive.org\/web\/20220531112315\/https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/botlocker1.png\" width=\"724\" height=\"405\"><\/p>\n<p>And this is the Tor network's website, where victims can find more information. The counter with the remaining time appears there before the price of the ransom .<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" title=\"Bad Rabbit Tor-Seite\" class=\"alignnone wp-image-20250 size-full\" alt=\"Bad Rabbit Tor-Seite\" src=\"https:\/\/web.archive.org\/web\/20210924210653\/https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/rabbit_page.png\" width=\"993\" height=\"699\" sizes=\"auto, (max-width: 993px) 100vw, 993px\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/rabbit_page.png 993w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/rabbit_page-300x211.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/rabbit_page-600x422.png 600w\"><\/p>\n<p>The infection starts with a PE file (the fake Flash Player update). Then a file <em>infpub.dat <\/em>comes into the game (similar to NotPetya), which exports two functions as a DLL. The first one contains the dropper that distributes the malware (infector) to other computers in the LAN. Among other things, WMIC is used to deploy the modules on remote computers. The responsible code is similar to the elements of Petya\/NotPetya.<\/p>\n<p>Then, an attempt is made to obtain logon data (credentials) for other machines from memory using a Mimikatz module. At the same time, this module has a hard coded list of generic logon data, which is also tested to access other network shares. <\/p>\n<p><img loading=\"lazy\" decoding=\"async\" title=\"Anmeldedaten\" class=\"alignnone wp-image-20260 size-full\" alt=\"Anmeldedaten\" src=\"https:\/\/web.archive.org\/web\/20210924210706\/https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/usernames_passwords.png\" width=\"826\" height=\"646\" sizes=\"auto, (max-width: 826px) 100vw, 826px\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/usernames_passwords.png 826w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/usernames_passwords-300x235.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/usernames_passwords-600x469.png 600w\"><\/p>\n<p>There is no Eternal Blue exploit required to spread to other machines (SMB and WMIC are sufficient, if the credentials are known). After successful infection, files are encrypted via a DLL using the Windows Crypto API. The following directories are omitted.<\/p>\n<p>\\\\Windows<br \/>\\\\Program Files<br \/>\\\\ProgramData<br \/>\\\\AppData<\/p>\n<p>At <a href=\"https:\/\/pastebin.com\/CwZfyY2F\" rel=\"noopener\" target=\"_blank\">Pastbin<\/a> is a document naming the file names of encrypted files. ESET writes at <a href=\"https:\/\/web.archive.org\/web\/20220901073054\/https:\/\/www.welivesecurity.com\/2017\/10\/24\/bad-rabbit-not-petya-back\/\" rel=\"noopener\" target=\"_blank\">welivesecurity.com<\/a>, that there is another infection method, using a drive-by-download via watering holes. Some frequently web sites seems to be infected and contains JavaScript in HTML body or injected in js files. Update: Here are a list of affected media sites:<\/p>\n<blockquote class=\"twitter-tweet\" data-lang=\"de\">\n<p lang=\"en\" dir=\"ltr\"><a href=\"https:\/\/twitter.com\/hashtag\/BadRabbit?src=hash&amp;ref_src=twsrc%5Etfw\">#BadRabbit<\/a> was spread via web traffic from compromised media sites. <a href=\"https:\/\/twitter.com\/hashtag\/infosec?src=hash&amp;ref_src=twsrc%5Etfw\">#infosec<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/ransomware?src=hash&amp;ref_src=twsrc%5Etfw\">#ransomware<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/cryptor?src=hash&amp;ref_src=twsrc%5Etfw\">#cryptor<\/a> <a href=\"https:\/\/t.co\/7GPsgZ2s3A\">pic.twitter.com\/7GPsgZ2s3A<\/a><\/p>\n<p>\u2014 Group-IB (@GroupIB_GIB) <a href=\"https:\/\/twitter.com\/GroupIB_GIB\/status\/922972032098291718?ref_src=twsrc%5Etfw\">24. Oktober 2017<\/a><\/p><\/blockquote>\n<p><script async src=\"\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script>  <\/p>\n<p>ESET wrote, that the Win32\/Diskcoder.D named malware will spread via SMB \u2013 but not using EthernalBlue exploit. ESET has published the following infection statistics:<\/p>\n<ul>\n<li>Russia: 65%\n<li>Ukraine: 12.2%\n<li>Bulgaria: 10.2%\n<li>Turkey: 6.4%\n<li>Japan: 3.8%\n<li>Other: 2.4% <\/li>\n<\/ul>\n<p>The infection is still limited to Eastern Europe and Japan. US-CERT now offers <a href=\"https:\/\/www.us-cert.gov\/ncas\/current-activity\/2017\/10\/24\/Multiple-Ransomware-Infections-Reported\" rel=\"noopener\" target=\"_blank\">this warning<\/a>. <\/p>\n<h2>Possible kill switch found<\/h2>\n<p>In the meantime, security researchers have allegedly also found ways to prevent the spread of the malware on Windows computers. In <a href=\"https:\/\/mobile.twitter.com\/0xAmit\/status\/922911491694694401\" rel=\"noopener\" target=\"_blank\">this Tweet<\/a> some solutions has to be proposed.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">I can confirm &#8211; Vaccination for <a href=\"https:\/\/twitter.com\/hashtag\/badrabbit?src=hash&amp;ref_src=twsrc%5Etfw\">#badrabbit<\/a>:<br \/>Create the following files c:\\windows\\infpub.dat &amp;&amp; c:\\windows\\cscc.dat &#8211; remove ALL PERMISSIONS (inheritance) and you are now vaccinated. :) <a href=\"https:\/\/t.co\/5sXIyX3QJl\">pic.twitter.com\/5sXIyX3QJl<\/a><\/p>\n<p>\u2014 Amit Serper\u200b (@0xAmit) <a href=\"https:\/\/twitter.com\/0xAmit\/status\/922911491694694401?ref_src=twsrc%5Etfw\">October 24, 2017<\/a><\/p>\n<\/blockquote>\n<p><span id=\"preserve1519fe36c5c1444a8768c3d5425cb55f\" class=\"wlWriterPreserve\"><SCRIPT charset=\"utf-8\" src=\"\/\/platform.twitter.com\/widgets.js\" async><\/SCRIPT><\/span> <\/p>\n<p>Just create the following files and withdraw access rights:<\/p>\n<p>c:\\windows\\infpub.dat<br \/>c:\\windows\\cscc.dat<\/p>\n<p>This means that the malware can no longer access its export DLL and the control file. The information can be found in <a href=\"https:\/\/www.cybereason.com\/blog\/cybereason-researcher-discovers-vaccine-for-badrabbit-ransomware\" target=\"_blank\" rel=\"noopener\">this blog post<\/a>, where detailed instructions are given. Another user specifies the <a href=\"https:\/\/twitter.com\/rikvduijn\/status\/922916097459863552\" target=\"_blank\" rel=\"noopener\">following files<\/a> to stop an infection.<\/p>\n<p>%windir%\\infpub.dat<br \/>%windir%\\dispci.exe<\/p>\n<p>But I haven't tested this methods. <\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]Urgent warning to all administrators in corporate environments. Eastern Europe has been hit by an outbreak of BadRabbit ransomware campaign. Affected are Windows systems and networks in corporate environments. It's similar to the NotPetya infection in early summer this year. &hellip; <a href=\"https:\/\/borncity.com\/win\/2017\/10\/25\/badrabbit-ransomware-outbreak-in-eastern-europe\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580,2],"tags":[244,243,69],"class_list":["post-4126","post","type-post","status-publish","format-standard","hentry","category-security","category-windows","tag-malware","tag-ransomware","tag-security"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/4126","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=4126"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/4126\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=4126"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=4126"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=4126"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}