Update 10/27/2017. Assessing the decryption capability. Possibility of file recovery. Verdicts.
What happened?
On Tuesday, October 24, we received notifications of massive attacks using the Bad Rabbit ransomware. Organizations and individual users were affected - mainly in Russia, but there were also reports of victims from Ukraine. This is the message victims see:
What is Bad Rabbit?
Bad Rabbit belongs to a previously unknown family of ransomware.
How is it distributed?
The malware is spread using a drive-by attack: the victim visits a legitimate website, and . The criminals did not use , so to get infected the user had to manually run a file disguised as an installer Adobe Flash. However, our analysis confirms that Bad Rabbit used the EternalRomance exploit to spread within corporate networks. The same exploit was used by the ExPetr ransomware.
We have discovered a number of hacked resources - they all represent news portals and media sites.
Who is the attack aimed at?
Most of the victims are in Russia. Similar, but less massive attacks affected other countries - Ukraine, Turkey and Germany. The total number of targets, according to KSN statistics, reaches 200.
When did Kaspersky Lab discover the threat?
We were able to trace the original vector of the attack at its very beginning, on the morning of October 24th. The active phase lasted until noon, although individual attacks were recorded until 19.55 Moscow time. The server from which the Bad rabbit dropper was distributed was shut down that evening.
How is Bad Rabbit different from the ExPetr ransomware? Or is it the same malware?
According to our observations, now we are talking about a targeted attack on corporate networks, its methods are similar to those used during. Moreover, analysis of the Bad Rabbit code demonstrated its marked similarity to the ExPetr code.
Technical details
According to our data, the ransomware will spread through a drive-by attack. The ransomware dropper is downloaded from hxxp://1dnscontrol[.]com/flash_install.php.
Victims are redirected to this malicious resource from legitimate news sites.
The victim must run the downloaded install_flash_player.exe file manually. For proper operation the file requires administrator rights, which it requests through a standard UAC notification. When launched, the malware saves the malicious DLL as C:Windowsinfpub.dat and runs it via rundll32.
Pseudocode of the malicious DLL installation procedure
Apparently, the infpub.dat library brute-forces NTLM credentials to Windows machines with pseudo-random IP addresses.
Hardcoded list of credentials
The infpub.dat library also installs a malicious executable file dispci.exe V C:Windows and creates a task to run it.
Pseudocode of the procedure that creates the task of launching a malicious executable file
Moreover, infpub.dat acts like a typical ransomware: it finds the victim’s data using a built-in list of extensions and encrypts the files with a public 2048-bit RSA key owned by the attackers.
Attackers' public key and list of extensions
Public key parameters:
Public-Key: (2048 bit)
Modulus:
00:e5:c9:43:b9:51:6b:e6:c4:31:67:e7:de:42:55:
6f:65:c1:0a:d2:4e:2e:09:21:79:4a:43:a4:17:d0:
37:b5:1e:8e:ff:10:2d:f3:df:cf:56:1a:30:be:ed:
93:7c:14:d1:b2:70:6c:f3:78:5c:14:7f:21:8c:6d:
95:e4:5e:43:c5:71:68:4b:1a:53:a9:5b:11:e2:53:
a6:e4:a0:76:4b:c6:a9:e1:38:a7:1b:f1:8d:fd:25:
4d:04:5c:25:96:94:61:57:fb:d1:58:d9:8a:80:a2:
1d:44:eb:e4:1f:1c:80:2e:e2:72:52:e0:99:94:8a:
1a:27:9b:41:d1:89:00:4c:41:c4:c9:1b:0b:72:7b:
59:62:c7:70:1f:53:fe:36:65:e2:36:0d:8c:1f:99:
59:f5:b1:0e:93:b6:13:31:fc:15:28:da:ad:1d:a5:
f4:2c:93:b2:02:4c:78:35:1d:03:3c:e1:4b:0d:03:
8d:5b:d3:8e:85:94:a4:47:1d:d5:ec:f0:b7:43:6f:
47:1e:1c:a2:29:50:8f:26:c3:96:d6:5d:66:36:dc:
0b:ec:a5:fe:ee:47:cd:7b:40:9e:7c:1c:84:59:f4:
81:b7:5b:5b:92:f8:dd:78:fd:b1:06:73:e3:6f:71:
84:d4:60:3f:a0:67:06:8e:b5:dc:eb:05:7c:58:ab:
1f:61
Exponent: 65537 (0x10001)
style="font-family: Consolas,Monaco,monospace;">
The executable file dispci.exe appears to be based on code from the legitimate DiskCryptor utility. It acts as a disk encryption module and installs a modified bootloader in parallel, blocking the normal boot process of the infected system.
While analyzing samples of this threat, we noticed an interesting detail: apparently, the authors of the malware are fans of “Game of Thrones.” Some lines in the code represent the names of characters from this universe.
Names of dragons from Game of Thrones
Names of characters from Game of Thrones
Encryption scheme
As we already mentioned, Bad Rabbit ransomware encrypts files and HDD victims. The following algorithms are used for files:
- AES-128-CBC
- RSA-2048
This is a typical scheme used by ransomware.
Interestingly, the ransomware lists all running processes and compares the hash on behalf of each process with the list of hashes it has. The hashing algorithm used is similar to the one used by the exPetr malware.
Comparison of Bad Rabbit and ExPetr hashing procedures
Special branch of program execution
Runtime Flag Initialization Procedure
Full list of hashes from process names:
| Hash | Process name |
| 0x4A241C3E | dwwatcher.exe |
| 0x923CA517 | McTray.exe |
| 0x966D0415 | dwarkdaemon.exe |
| 0xAA331620 | dwservice.exe |
| 0xC8F10976 | mfevtps.exe |
| 0xE2517A14 | dwengine.exe |
| 0xE5A05A00 | mcshield.exe |
Partitions on the victim's hard drive are encrypted using the dcrypt.sys driver of DiskCryptor (it is loaded into C:Windowscscc.dat). The encryptor sends the necessary IOCTL codes to this driver. Some functions are taken “as is” from the DiskCryptor source code (drv_ioctl.c), while others appear to have been added by the malware’s developers.
Disk partitions are encrypted by the DiskCryptor driver using AES in XTS mode. The password is generated by dispci.exe using the WinAPI CryptGenRandom function and is 32 characters long.
Assessing decryption capability
Our data suggests that Bad rabbit, unlike ExPetr, was not created as a viper (we wrote earlier that the creators of ExPetr are technically unable to decrypt MFT encrypted using GoldenEye). The malware's algorithm assumes that the attackers behind Bad rabbit have the necessary decryption tools.
The data that appears on the infected machine's screen as "personal installation key#1" is an RSA-2048 encrypted and base64 encoded binary structure that contains the following information from the infected system:
Attackers can use their RSA private key to decrypt this structure and send the disk decryption password to the victim.
Please note that the value of the id field that is passed to dispci.exe is simply a 32-bit number used to distinguish between infected computers, and not the AES key for disk encryption, as some reports published on the Internet have said.
During the analysis process, we extracted the password created by the malware under debugging and tried to use it on a locked system after rebooting - the password matched and the download continued.
Unfortunately, it is impossible to decrypt data on disks without an attacker’s RSA-2048 key: symmetric keys are securely generated on the malicious side, which in practice eliminates the possibility of their selection.
However, we discovered a bug in the dispci.exe code: the generated password is not removed from memory, which gives little chance of retrieving it before the dispci.exe process terminates. In the screenshot below, you will notice that while the dc_pass variable (which will be passed to the driver) will be securely erased after use, this is not the case for the rand_str variable, which contains a copy of the password.
Pseudo code for a procedure that generates a password and encrypts disk partitions
File encryption
As we have already written, the Trojan uses a typical file encryption scheme. It generates a random string of 32 bytes in length and uses it in the key derivation algorithm. Unfortunately, the CryptGenRandom function is used to create this string.
Key derivation algorithm
The encrypted password, along with information about the infected system, is written to the Readme file as “personal installation key#2”.
Interesting fact: the malware does not encrypt files with the Read-Only attribute.
Ability to recover files
We found that Bad Rabbit does not delete shadow copies of files after they are encrypted. This means that if the shadow copy service was enabled before the infection and full disk encryption did not occur for some reason, the victim can recover the encrypted files using standard Windows tools or third party utilities.
Shadow copies unaffected by Bad Rabbit
Kaspersky Lab experts analyze the ransomware in detail to find possible flaws in its cryptographic algorithms.
Kaspersky Lab corporate clients are recommended to:
- check that all mechanisms are turned on according to the recommendations; Separately, make sure that the KSN and “System Monitoring” components are not disabled (they are active by default);
- promptly update anti-virus databases.
This should be enough. But as additional precautions, we recommend:
- ban in Kaspersky Endpoint Security execution files C:Windowsinfpub.dat and C:Windowscscc.dat.
- configure and enable the Deny by Default mode in the Application Launch Control component in Kaspersky Endpoint Security.
Kaspersky Lab products define this threat as:
- Trojan-Ransom.Win32.Gen.ftl
- Trojan-Ransom.Win32.BadRabbit
- DangerousObject.Multi.Generic
- PDM:Trojan.Win32.Generic
- Intrusion.Win.CVE-2017-0147.sa.leak
http://1dnscontrol[.]com/
- install_flash_player.exe
- C:Windowsinfpub.dat
- C:Windowsdispci.exe
style="font-family: Consolas,Monaco,monospace;">
Yesterday, October 24, 2017, large Russian media, as well as a number of Ukrainian government agencies, were attacked by unknown attackers. Among the victims were Interfax, Fontanka and at least one other unnamed online publication. Following the media, Odessa International Airport, the Kiev Metro and the Ukrainian Ministry of Infrastructure also reported problems. According to a statement by Group-IB analysts, criminals also tried to attack banking infrastructure, but these attempts were unsuccessful. ESET specialists, in turn, claim that the attacks affected users from Bulgaria, Turkey and Japan.
As it turned out, disruptions in the work of companies and government agencies were caused not by massive DDoS attacks, but by a ransomware called Bad Rabbit (some experts prefer to write BadRabbit without a space).
Yesterday, little was known about the malware and the mechanisms of its operation: it was reported that the ransomware was demanding a ransom of 0.05 bitcoin, and Group-IB experts also said that the attack had been in preparation for several days. Thus, two JS scripts were discovered on the attackers’ website, and, judging by information from the server, one of them was updated on October 19, 2017.
Now, although not even a day has passed since the start of the attacks, the analysis of the ransomware has already been carried out by specialists from almost all the leading information security companies in the world. So, what is Bad Rabbit, and should we expect a new “ransomware epidemic” like WannaCry or NotPetya?
How did Bad Rabbit manage to cause major media outages when it was all about fake Flash updates? According to ESET , Emsisoft And Fox-IT, after infection, the malware used the Mimikatz utility to extract passwords from LSASS, and also had a list of the most common logins and passwords. The malware used all this to spread via SMB and WebDAV to other servers and workstations located on the same network as the infected device. At the same time, experts from the companies listed above and Cisco Talos employees believe that in this case, there was no tool stolen from the intelligence services that exploited flaws in SMB. Let me remind you that WannaCry viruses and NotPetya were distributed using this particular exploit.
However, experts still managed to find some similarities between Bad Rabbit and Petya (NotPetya). So, the ransomware doesn’t just encrypt user files, using open source DiskCryptor, but modifies the MBR (Master Boot Record), after which it reboots the computer and displays a ransom message.
Although the message with the attackers' demands is almost identical to the message from the NotPetya operators, experts have slightly different opinions regarding the connection between Bad Rabbit and NotPetya. Thus, analysts at Intezer calculated that source malware
It may be a harbinger of the third wave of encryption viruses, Kaspersky Lab believes. The first two were the sensational WannaCry and Petya (aka NotPetya). About the emergence of a new network malware and how to protect yourself from it powerful attack, MIR 24 was told by cybersecurity experts.
Most of the victims of the Bad Rabbit attack are in Russia. There are significantly fewer of them in Ukraine, Turkey and Germany, noted the head of the anti-virus research department at Kaspersky Lab. Vyacheslav Zakorzhevsky. Probably, the second most active countries were those countries where users actively monitor Russian Internet resources.
When malware infects a computer, it encrypts files on it. It is distributed using web traffic from hacked Internet resources, among which were mainly the sites of federal Russian media, as well as computers and servers of the Kyiv metro, the Ukrainian Ministry of Infrastructure, and Odessa International Airport. An unsuccessful attempt to attack Russian banks from the top 20 was also recorded.
The fact that Fontanka, Interfax and a number of other publications were attacked by Bad Rabbit was reported yesterday by Group-IB, a company that specializes in information security. Analysis of the virus code showed that Bad Rabbit is associated with the Not Petya ransomware, which in June this year attacked energy, telecommunications and financial companies in Ukraine.
The attack was prepared for several days and, despite the scale of the infection, the ransomware demanded relatively small amounts from the victims of the attack - 0.05 bitcoin (that's about $283 or 15,700 rubles). 48 hours are allotted for redemption. After this period expires, the amount increases.
Group-IB specialists believe that, most likely, the hackers have no intention of making money. Their likely goal is to check the level of protection of critical infrastructure networks of enterprises, government departments and private companies.
It's easy to become a victim of an attack
When a user visits an infected site, malicious code transmits information about it to a remote server. Next, a pop-up window appears asking you to download an update for Flash Player, which is fake. If the user approves the “Install” operation, a file will be downloaded to the computer, which in turn will launch the Win32/Filecoder.D encryptor on the system. Next, access to the documents will be blocked, and a ransom message will appear on the screen.
The Bad Rabbit virus scans the network for open network resources, after which it launches a tool on the infected machine to collect credentials and this “behavior” differs from its predecessors.
Specialists from the international developer of anti-virus software Eset NOD 32 confirmed that Bad Rabbit is a new modification of the Petya virus, the operating principle of which was the same - the virus encrypted information and demanded a ransom in bitcoins (the amount was comparable to Bad Rabbit - $300). The new malware fixes errors in file encryption. The code used in the virus is designed to encrypt logical drives, external USB drives and CD/DVD images, as well as bootable system disk partitions.
Speaking about the audience that was attacked by Bad Rabbit, Head of Sales Support at ESET Russia Vitaly Zemskikh stated that 65% of attacks stopped by the company's antivirus products occurred in Russia. The rest of the geography of the new virus looks like this:
Ukraine – 12.2%
Bulgaria – 10.2%
Türkiye – 6.4%
Japan – 3.8%
others – 2.4%
"The ransomware exploits known software With open source called DiskCryptor to encrypt the victim's disks. The lock message screen that the user sees is almost identical to the Petya and NotPetya lock screens. However, this is the only similarity we have seen so far between the two malware. In all other aspects, BadRabbit is a completely new and unique type of ransomware,” says the technical director of Check Point Software Technologies. Nikita Durov.
How to protect yourself from Bad Rabbit?
Owners of operating systems other than Windows can breathe a sigh of relief, as new virus-ransomware makes only computers with this “axis” vulnerable.
To protect against network malware, experts recommend creating the file C:\windows\infpub.dat on your computer, and setting read-only rights for it - this is easy to do in the administration section. This way you will block file execution, and all documents arriving from outside will not be encrypted even if they are infected. To avoid losing valuable data in the event of a virus infection, make a backup now ( backup copy). And, of course, it is worth remembering that paying a ransom is a trap that does not guarantee that your computer will be unlocked.
Let us remind you that the virus spread in at least 150 countries around the world in May of this year. He encrypted the information and demanded to pay a ransom, according to various sources, from 300 to 600 dollars. Over 200 thousand users were affected by it. According to one version, its creators took the US NSA Eternal Blue malware as a basis.
Alla Smirnova spoke with experts
Bad Rabbit is a virus that belongs to the encrypting ransomware viruses. It appeared quite recently and is aimed mainly at computers of users in Russia and Ukraine, as well as partially in Germany and Turkey.
The operating principle of ransomware viruses is always the same: once on a computer, the malicious program encrypts system files and user data, blocking access to the computer using a password. All that is displayed on the screen is the virus window, the attacker’s demands and the account number to which he demands to transfer money to unlock it. After the massive spread of cryptocurrencies, it became popular to demand ransom in bitcoins, since transactions with them are extremely difficult to track from the outside. Bad Rabbit does the same. It exploits operating system vulnerabilities, in particular in Adobe Flash Player, and penetrates under the guise of an update for it.
After infection, BadRabbit creates in the folder Windows file infpub.dat, which creates the remaining program files: cscc.dat and dispci.exe, which make their changes to the MBR settings of the user's disk and create their tasks similar to the Task Scheduler. This malicious program has its own personal website for paying the ransom, uses the DiskCryptor encryption service, encrypts using RSA-2048 and AE methods, and also monitors all devices connected to this computer, trying to infect them too.
According to Symantec's assessment, the virus received the status of a low threat, and according to experts, it was created by the same developers as the viruses discovered a couple of months before Bad Rabbit, NotPetya and Petya, since it has similar operating algorithms. The Bad Rabbit ransomware first appeared in October 2017 and its first victims were the online newspaper Fontanka, a number of media outlets, and the website of the Interfax news agency. The Beeline company was also subject to an attack, but the threat was averted in time.
Note: Fortunately, this moment programs to detect such threats are more effective than before, and the risk of contracting this virus has decreased.
Removing Bad Rabbit Virus
Bootloader recovery
As in most cases of this type, you can try restoring the Windows bootloader to eliminate the threat. In the case of Windows 10 and Windows 8, to do this, you need to connect the system installation distribution to USB or DVD, and after booting from it, go to the “Fix your computer” option. After that, you need to go to “Troubleshooting” and select “ Command line».
Now all that remains is to enter the commands one by one, pressing Enter each time after entering the next command:
- bootrec /FixMbr
- bootrec /FixBoot
- bootrec /ScanOs
- bootrec /RebuildBcd
After the operations have been completed, exit and reboot. Most often this is enough to solve the problem.
For Windows 7, the steps are the same, only there “Command Prompt” is located in “Options” system recovery"on the installation distribution.
Removing a virus using Safe Mode
To use this method you must be logged in. safe mode with network support. It is with network support, and not simple Safe Mode. In Windows 10, this can be done again through the installation distribution. After booting from it, in the window with the “Install” button, you need to press the key combination Shift+F10 and enter in the field:
bcdedit /set (default) safeboot network
In Windows 7, you can simply press F8 several times while turning on the computer and select this boot mode from the list in the menu that appears.
After entering safe mode, the main goal is to scan operating system for threats. It is better to do this through time-tested utilities such as Reimage or Malwarebytes Anti-Malware.
Eliminate the threat using the Recovery Center
For use this method you need to use the “Command Line” again, as in the instructions above, and after launching it, enter cd restore and confirm by pressing Enter. After this you need to enter rstrui.exe. A program window will open in which you can return to the previous restore point that preceded the infection.
Hi all! Just the other day, a large-scale hacker attack began in Russia and Ukraine, Turkey, Germany and Bulgaria using the new encrypting virus Bad Rabbit, also known as Diskcoder.D. The ransomware is currently attacking corporate networks of large and medium-sized organizations, blocking all networks. Today we will tell you what this Trojan is and how you can protect yourself from it.
What kind of virus?
Bad Rabbit operates according to a standard scheme for ransomware: once it enters the system, it encodes files, for decryption of which hackers demand 0.05 bitcoin, which at the exchange rate is $283 (or 15,700 rubles). This is reported in a separate window, where you actually need to enter the purchased key. The threat is a type of Trojan Trojan.Win32.Generic, however it also contains other components, such as DangerousObject.Multi.Generic And Ransom.Win 32.Gen.ftl.
Bad Rabbit – a new ransomware virus
It is still difficult to completely trace all sources of infection, but experts are now working on this. Presumably, the threat reaches the PC through infected sites on which redirection is configured, or under the guise of fake updates for popular plugins such as Adobe Flash. The list of such sites is only expanding.
Is it possible to remove a virus and how to protect yourself?
It’s worth saying right away that at the moment everything antivirus laboratories We started analyzing this Trojan. If you specifically look for information on virus removal, then there is none as such. Let’s immediately discard the standard advice - make a backup of the system, a return point, delete such and such files. If you don’t have saves, then everything else doesn’t work; hackers, due to the specifications of the virus, have thought through such moments.
I think that decryptors for Bad Rabbit made by amateurs will soon be distributed - whether you use these programs or not is your own choice. As the previous Petya ransomware showed, this helps little.
But you can prevent the threat and remove it when you try to get into your PC. Kaspersky and ESET laboratories were the first to respond to reports of a viral epidemic and are already blocking penetration attempts. Google Browser Chrome has also begun to detect infected resources and warn about their danger. Here's what you need to do to protect yourself from BadRabbit first:
- If you use Kaspersky, ESET, Dr.Web, or other popular analogs for protection, then you must update the databases. Also, for Kaspersky you need to enable “Activity Monitor” (System Watcher), and in ESET apply signatures with update 16295.
- If you do not use antiviruses, then you need to block file execution C:\Windows\infpub.dat And C:\Windows\cscc.dat. This is done through the editor group policies, or the AppLocker program for Windows.
- Be sure to back up your system. In theory, a copy should always be stored on the connected media. Here is a short video instruction on how to create it.
It is advisable to disable the execution of the service - Windows Management Instrumentation (WMI). In the top ten the service is called "Tools Windows management” . Through right button go to the service properties and select “Startup type” mode “Disabled”.
Conclusion
In conclusion, it is worth saying the most important thing - you should not pay the ransom, no matter what you have encrypted. Such actions only encourage scammers to create new virus attacks. Monitor the forums of antivirus companies, who, I hope, will soon study the Bad Rabbit virus and find an effective pill. Be sure to follow the above steps to protect your OS. If you have any difficulties in completing them, please write in the comments.
Loading...
