“Bad Rabbit” ransomware strikes Ukraine and Russia. Attack resembles WannaCry and Petya

[captain_to_fire]

Sources: BBC, VirusTotal, Securelist 

 

Quote

  

A new strain of ransomware nicknamed "Bad Rabbit" has been found spreading in Russia, Ukraine and elsewhere. The malware has affected systems at three Russian websites, an airport in Ukraine and an underground railway in the capital city, Kiev. The cyber-police chief in Ukraine confirmed to the Reuters news agency that Bad Rabbit was the ransomware in question.

 

It bears similarities to the WannaCry and Petya outbreaks earlier this year.

Meanwhile, US officials said they had "received multiple reports of Bad Rabbit ransomware infections in many countries around the world". The US computer emergency readiness team said it "discourages individuals and organisations from paying the ransom, as this does not guarantee that access will be restored".

"According to our data, most of the victims targeted by these attacks are located in Russia," said Vyacheslav Zakorzhevsky at Kaspersky Lab.

 

"We have also seen similar but fewer attacks in Ukraine, Turkey and Germany."

Bad Rabbit encrypts the contents of a computer and asks for a payment - in this case 0.05 bitcoins, or about $280 (£213).

Cyber-security firms, including Russia-based Kaspersky, have said they are monitoring the attack.

I know news about a new malware strain isn’t particularly interesting but I posted this as more of a PSA as the attack method is via drive by download meaning it doesn’t require user interaction to execute it. All it needs is to have the user browse an infected website. 

Quote

How is it different to ExPetr? Or it is the same malware?

Our observations suggest that this been a targeted attack against corporate networks, using methods similar to those used during the ExPetr attack.

 

Technical details

According to our telemetry, the ransomware is spread via a drive-by attack.

The ransomware dropper is distributed from hxxp://1dnscontrol[.]com/flash_install.php

Also according to our telemetry data, victims are redirected to this malware web resource from legitimate news websites.

The downloaded file named install_flash_player.exe needs to be manually launched by the victim. To operate correctly, it needs elevated administrative privileges which it attempts to obtain using the standard UAC prompt. If started, it will save the malicious DLL as C:\Windows\infpub.dat and launch it using rundll32. 

 

The executable dispci.exe appears to be derived from the code base of the legitimate utility DiskCryptor. It acts as the disk encryption module which also installs the modified bootloader and prevents the normal boot-up process of the infected machine.

An interesting detail that we noticed when analyzing the sample of this threat: it looks like the criminals behind this malware are fans of the famous books & TV show series Game Of Thrones. Some of the strings used throughout the code are the names of different characters from this series.

It seems that the attack is more localized than a global pandemic. With that said, at the time I’m posting this, 43 out of 66 anti virus programs are now detecting it (including Windows Defender) which is good. Make sure to have your AV programs up to date and enable cloud protection for faster protection. Also, it’s a good idea to use standard accounts instead of admin accounts. 

 

Edited October 25, 2017 by hey_yo_

[Tech_Dreamer]

Bad Bad Rabbit  #Colton

[Bananasplit_00]

damn i almost hoped for another WannaCry to give the world another bitch slap to teach them to update their shit

[captain_to_fire]

2 hours ago, Bananasplit_00 said:

damn i almost hoped for another WannaCry to give the world another bitch slap to teach them to update their shit

Well the Bad Rabbit ransomware doesn’t require user interaction as it uses a drive by download attack where all you need is to browse an infected website not to mention those infected sites are actually legit news sites. 

Edited October 25, 2017 by hey_yo_

[Dabombinable]

2 hours ago, hey_yo_ said:

Well the Bad Rabbit ransomware doesn’t require user interaction as it uses a drive by download attack where all you need is to browse an infected website not to mention those infected sites are actually legit news sites. 

It actually does require user interaction....
 

Quote

The downloaded file named install_flash_player.exe needs to be manually launched by the victim. To operate correctly, it needs elevated administrative privileges which it attempts to obtain using the standard UAC prompt. If started, it will save the malicious DLL as C:\Windows\infpub.dat and launch it using rundll32. 

You'd only be screwed if UAC wasn't a thing in Vista and above.

[captain_to_fire]

4 minutes ago, Dabombinable said:

It actually does require user interaction....
 

You'd only be screwed if UAC wasn't a thing in Vista and above.

My bad. Good catch.