Ransomware breeds through Windows networks via SMB, fake Flash
Bad news from BadRabbit … Screenshot from an infected PC (Source: Group-IB)
Updated Computers at Russian media outlets and Ukraine’s transport hubs were among Windows PCs infected and shut down today by another fast-spreading strain of ransomware.
Corporate systems within Interfax and two other major Russian news publishers have had their files encrypted and held to ransom by malware dubbed BadRabbit. In Ukraine, Odessa airport, the Kiev metro, and the Ministry of Infrastructure were also hit by the extortionware, which demands Bitcoins to restore scrambled documents.
“Interfax Group’s servers have come under a hacker attack. The technical department is taking all measures to resume news services. We apologize for inconvenience,” Interfax said in a statement.
The software nasty falsely poses as an Adobe Flash update to trick victims into installing it. The evil code then uses the legit open-source Mimikatz tool to extract file server login credentials out of the computer’s memory – as used by the NotPetya ransomware in June – and uses those details, along with some hardcoded password guesses, to worm its way through SMB shares on the network.
It also, in some cases, causes network intrusion detection systems to trigger EternalBlue alerts while it scans for services to infect, suggesting it may be leveraging the leaked NSA hacking tool EternalBlue to infect and commandeer machines, just like the WannaCry malware in May.
The BadRabbit name comes from the message displayed in a browser window from a .onion Tor-hidden server on infected PCs that gives users the bad news that their files have been encrypted and they need to cough up crypto-coins to unlock their data. It was first spotted by researchers at Moscow-based infosec biz Group-IB.
Pwned … How the ransom note appears on infected machines in a webpage from a .onion address (Source: Kaspersky Lab)
Russian computer forensics and incident response firm Group-IB, which was among the first to report on the outbreak, said the miscreants behind the outbreak were requesting 0.05 BTC ($286, £217) for decryption. This price will keep going up the longer a victim delays paying the ransom.
BadRabbit uses a legit program called DiskCryptor to cipher data on a victim’s hard drive, according to UK security consultant Kevin Beaumont.
Analysis work is still ongoing. BadRabbit encrypts all kinds of files on the drive from .7z archives to .java source code to .docx documents. There’s a list of indicators here for you to check to ascertain whether or not you or your network has been infected – for example, network connections to caforssztxqzf2nm.onion, or downloads from…
…are pretty big signs of infiltration.
It is believed at this stage BadRabbit wipes system logs and the filesystem journal, and connects to a command-and-control server after infection to coordinate its extortion.
Please activate the anti-ransomware protection in your Windows 10 Fall Creators Update PC. Ta
It also drops in a kernel-level key-logger, if it can, to snoop on the victim’s keypress, can reboot the machine, and potentially alter the boot sector of the PC’s hard drives, it is claimed.
Chris Doman, a security researcher at AlienVault who is probing the malware, said: “This wouldn’t be the first time that an airport in Ukraine suffered a destructive cyber-attack and we are currently investigating to determine the strength of the links to the NotPetya attacks.
“There are reports that the mechanism involves using the tool Mimikatz to steal passwords to spread in a worm-like fashion but so far the damage does not seem as wide spread as WannaCry or NotPetya.”
Antivirus packages may detect and stop BadRabbit, aka Dickcoder.D, before it can start up. Indeed, running the initial .exe may pop up a window asking you to disable any anti-malware software you have installed. According to Kaspersky Lab, if you prevent these files from executing…
…you should be able to disable BadRabbit from running. ®