New rabbit virus. How to protect yourself from the Bad Rabbit virus

Yesterday, October 24, 2017, large Russian media, as well as a number of Ukrainian government agencies, were attacked by unknown attackers. Among the victims were Interfax, Fontanka and at least one other unnamed online publication. Following the media, Odessa International Airport, the Kiev Metro and the Ukrainian Ministry of Infrastructure also reported problems. According to a statement by Group-IB analysts, criminals also tried to attack banking infrastructure, but these attempts were unsuccessful. ESET specialists, in turn, claim that the attacks affected users from Bulgaria, Turkey and Japan.

As it turned out, disruptions in the work of companies and government agencies were caused not by massive DDoS attacks, but by a ransomware called Bad Rabbit (some experts prefer to write BadRabbit without a space).

Yesterday, little was known about the malware and the mechanisms of its operation: it was reported that the ransomware was demanding a ransom of 0.05 bitcoin, and Group-IB experts also said that the attack had been in preparation for several days. Thus, two JS scripts were discovered on the attackers’ website, and, judging by information from the server, one of them was updated on October 19, 2017.

Now, although not even a day has passed since the start of the attacks, the analysis of the ransomware has already been carried out by specialists from almost all the leading information security companies in the world. So, what is Bad Rabbit, and should we expect a new “ransomware epidemic” like WannaCry or NotPetya?

How did Bad Rabbit manage to cause major media outages when it was all about fake Flash updates? According to ESET , Emsisoft And Fox-IT, after infection, the malware used the Mimikatz utility to extract passwords from LSASS, and also had a list of the most common logins and passwords. The malware used all this to spread via SMB and WebDAV to other servers and workstations located on the same network as the infected device. At the same time, experts from the companies listed above and Cisco Talos employees believe that in this case, there was no tool stolen from the intelligence services that exploited flaws in SMB. Let me remind you that the WannaCry and NotPetya viruses were spread using this particular exploit.

However, experts still managed to find some similarities between Bad Rabbit and Petya (NotPetya). Thus, the ransomware not only encrypts user files using open source DiskCryptor, but modifies the MBR (Master Boot Record), after which it reboots the computer and displays a ransom message on the screen.

Although the message with the attackers' demands is almost identical to the message from the NotPetya operators, experts have slightly different opinions regarding the connection between Bad Rabbit and NotPetya. Thus, analysts at Intezer calculated that the source code of the malware

Update 10/27/2017. Assessing the decryption capability. Possibility of file recovery. Verdicts.

What happened?

On Tuesday, October 24, we received notifications of massive attacks using the Bad Rabbit ransomware. Organizations and individual users were affected - mainly in Russia, but there were also reports of victims from Ukraine. This is the message victims see:

What is Bad Rabbit?

Bad Rabbit belongs to a previously unknown family of ransomware.

How is it distributed?

The malware is spread using a drive-by attack: the victim visits a legitimate website, and . The criminals did not use , so to get infected the user had to manually run a file disguised as an Adobe Flash installer. However, our analysis confirms that Bad Rabbit used the EternalRomance exploit to spread within corporate networks. The same exploit was used by the ExPetr ransomware.

We have discovered a number of hacked resources - all of them are news portals and media sites.

Who is the attack aimed at?

Most of the victims are in Russia. Similar, but less massive attacks affected other countries - Ukraine, Turkey and Germany. The total number of targets, according to KSN statistics, reaches 200.

When did Kaspersky Lab discover the threat?

We were able to trace the original vector of the attack at its very beginning, on the morning of October 24th. The active phase lasted until noon, although individual attacks were recorded until 19.55 Moscow time. The server from which the Bad rabbit dropper was distributed was shut down that evening.

How is Bad Rabbit different from the ExPetr ransomware? Or is it the same malware?

According to our observations, now we are talking about a targeted attack on corporate networks, its methods are similar to those used during. Moreover, analysis of the Bad Rabbit code demonstrated its marked similarity to the ExPetr code.

Technical details

According to our data, the ransomware will spread through a drive-by attack. The ransomware dropper is downloaded from hxxp://1dnscontrol[.]com/flash_install.php.

Victims are redirected to this malicious resource from legitimate news sites.

The victim must run the downloaded install_flash_player.exe file manually. To function properly, the file requires administrator rights, which it requests through a standard UAC notification. When launched, the malware saves the malicious DLL as C:Windowsinfpub.dat and runs it via rundll32.

Pseudocode of the malicious DLL installation procedure

Apparently, the infpub.dat library brute-forces NTLM credentials to Windows machines with pseudo-random IP addresses.

Hardcoded list of credentials

The infpub.dat library also installs a malicious executable file dispci.exe V C:Windows and creates a task to run it.

Pseudocode of the procedure that creates the task of launching a malicious executable file

Moreover, infpub.dat acts like a typical ransomware: it finds the victim’s data using a built-in list of extensions and encrypts the files with a public 2048-bit RSA key owned by the attackers.

Attackers' public key and list of extensions

Public key parameters:

Public-Key: (2048 bit)
Modulus:
00:e5:c9:43:b9:51:6b:e6:c4:31:67:e7:de:42:55:
6f:65:c1:0a:d2:4e:2e:09:21:79:4a:43:a4:17:d0:
37:b5:1e:8e:ff:10:2d:f3:df:cf:56:1a:30:be:ed:
93:7c:14:d1:b2:70:6c:f3:78:5c:14:7f:21:8c:6d:
95:e4:5e:43:c5:71:68:4b:1a:53:a9:5b:11:e2:53:
a6:e4:a0:76:4b:c6:a9:e1:38:a7:1b:f1:8d:fd:25:
4d:04:5c:25:96:94:61:57:fb:d1:58:d9:8a:80:a2:
1d:44:eb:e4:1f:1c:80:2e:e2:72:52:e0:99:94:8a:
1a:27:9b:41:d1:89:00:4c:41:c4:c9:1b:0b:72:7b:
59:62:c7:70:1f:53:fe:36:65:e2:36:0d:8c:1f:99:
59:f5:b1:0e:93:b6:13:31:fc:15:28:da:ad:1d:a5:
f4:2c:93:b2:02:4c:78:35:1d:03:3c:e1:4b:0d:03:
8d:5b:d3:8e:85:94:a4:47:1d:d5:ec:f0:b7:43:6f:
47:1e:1c:a2:29:50:8f:26:c3:96:d6:5d:66:36:dc:
0b:ec:a5:fe:ee:47:cd:7b:40:9e:7c:1c:84:59:f4:
81:b7:5b:5b:92:f8:dd:78:fd:b1:06:73:e3:6f:71:
84:d4:60:3f:a0:67:06:8e:b5:dc:eb:05:7c:58:ab:
1f:61
Exponent: 65537 (0x10001)

style="font-family: Consolas,Monaco,monospace;">

The executable file dispci.exe appears to be based on code from the legitimate DiskCryptor utility. It acts as a disk encryption module and installs a modified bootloader in parallel, blocking the normal boot process of the infected system.

While analyzing samples of this threat, we noticed an interesting detail: apparently, the authors of the malware are fans of “Game of Thrones.” Some lines in the code represent the names of characters from this universe.

Names of dragons from Game of Thrones

Names of characters from Game of Thrones

Encryption scheme

As we already mentioned, Bad Rabbit ransomware encrypts the victim’s files and hard drive. The following algorithms are used for files:

1. AES-128-CBC
2. RSA-2048

This is a typical scheme used by ransomware.

Interestingly, the ransomware lists all running processes and compares the hash on behalf of each process with the list of hashes it has. The hashing algorithm used is similar to the one used by the exPetr malware.

Comparison of Bad Rabbit and ExPetr hashing procedures

Special branch of program execution

Runtime Flag Initialization Procedure

Full list of hashes from process names:

Hash	Process name
0x4A241C3E	dwwatcher.exe
0x923CA517	McTray.exe
0x966D0415	dwarkdaemon.exe
0xAA331620	dwservice.exe
0xC8F10976	mfevtps.exe
0xE2517A14	dwengine.exe
0xE5A05A00	mcshield.exe

Partitions on the victim's hard drive are encrypted using the dcrypt.sys driver of DiskCryptor (it is loaded into C:Windowscscc.dat). The encryptor sends the necessary IOCTL codes to this driver. Some functions are taken “as is” from the DiskCryptor source code (drv_ioctl.c), while others appear to have been added by the malware’s developers.

Disk partitions are encrypted by the DiskCryptor driver using AES in XTS mode. The password is generated by dispci.exe using the WinAPI CryptGenRandom function and is 32 characters long.

Assessing decryption capability

Our data suggests that Bad rabbit, unlike ExPetr, was not created as a viper (we wrote earlier that the creators of ExPetr are technically unable to decrypt MFT encrypted using GoldenEye). The malware's algorithm assumes that the attackers behind Bad rabbit have the necessary decryption tools.

The data that appears on the infected machine's screen as "personal installation key#1" is an RSA-2048 encrypted and base64 encoded binary structure that contains the following information from the infected system:

Attackers can use their RSA private key to decrypt this structure and send the disk decryption password to the victim.

Please note that the value of the id field that is passed to dispci.exe is simply a 32-bit number used to distinguish between infected computers, and not the AES key for disk encryption, as some reports published on the Internet have said.

During the analysis process, we extracted the password created by the malware under debugging and tried to use it on a locked system after rebooting - the password matched and the download continued.

Unfortunately, it is impossible to decrypt data on disks without an attacker’s RSA-2048 key: symmetric keys are securely generated on the malicious side, which in practice eliminates the possibility of their selection.

However, we discovered a bug in the dispci.exe code: the generated password is not removed from memory, which gives little chance of retrieving it before the dispci.exe process terminates. In the screenshot below, you will notice that while the dc_pass variable (which will be passed to the driver) will be securely erased after use, this is not the case for the rand_str variable, which contains a copy of the password.

Pseudo code for a procedure that generates a password and encrypts disk partitions

File encryption

As we have already written, the Trojan uses a typical file encryption scheme. It generates a random string of 32 bytes in length and uses it in the key derivation algorithm. Unfortunately, the CryptGenRandom function is used to create this string.

Key derivation algorithm

The encrypted password, along with information about the infected system, is written to the Readme file as “personal installation key#2”.

Interesting fact: the malware does not encrypt files with the Read-Only attribute.

Ability to recover files

We found that Bad Rabbit does not delete shadow copies of files after they are encrypted. This means that if the shadow copy service was enabled before the infection and full disk encryption did not occur for some reason, the victim can restore the encrypted files using standard Windows tools or third-party utilities.

Shadow copies unaffected by Bad Rabbit

Kaspersky Lab experts analyze the ransomware in detail to find possible flaws in its cryptographic algorithms.

Kaspersky Lab corporate clients are recommended to:

• check that all mechanisms are turned on according to the recommendations; Separately, make sure that the KSN and “System Monitoring” components are not disabled (they are active by default);
• promptly update anti-virus databases.

This should be enough. But as additional precautions, we recommend:

• prohibit execution of the files C:Windowsinfpub.dat and C:Windowscscc.dat in Kaspersky Endpoint Security.
• configure and enable the "Default Deny" mode in the "Application Launch Control" component in Kaspersky Endpoint Security.

Kaspersky Lab products define this threat as:

• Trojan-Ransom.Win32.Gen.ftl
• Trojan-Ransom.Win32.BadRabbit
• DangerousObject.Multi.Generic
• PDM:Trojan.Win32.Generic
• Intrusion.Win.CVE-2017-0147.sa.leak

IoC:

http://1dnscontrol[.]com/
- install_flash_player.exe
- C:Windowsinfpub.dat
- C:Windowsdispci.exe

style="font-family: Consolas,Monaco,monospace;">

The ransomware virus, known as Bad Rabbit, attacked tens of thousands of computers in Ukraine, Turkey and Germany. But most of the attacks occurred in Russia. What kind of virus is this and how to protect your computer, we tell you in our Questions and Answers section.

Who suffered from Bad Rabbit in Russia?

The Bad Rabbit ransomware virus began spreading on October 24. Among the victims of his actions are the Interfax news agency and the Fontanka.ru publication.

The Kyiv metro and Odessa airport also suffered from the actions of hackers. Then it became known about an attempt to hack the systems of several Russian banks from the top 20.

By all indications, this is a targeted attack on corporate networks, as it uses methods similar to those observed in the ExPetr virus attack.

The new virus makes one demand to everyone: a ransom of 0.05 Bitcoin. In terms of rubles, this is about 16 thousand rubles. However, he reports that the time to fulfill this requirement is limited. A little more than 40 hours are given for everything. Further, the redemption fee will increase.

What is this virus and how does it work?

Have you already found out who is behind its spread?

It has not yet been possible to find out who is behind this attack. The investigation only led the programmers to the domain name.

Experts from antivirus companies note the similarity of the new virus to the Petya virus.

But, unlike previous viruses this year, this time the hackers decided to take the simple route, reports 1tv.ru.

“Apparently, the criminals expected that in most companies users would update their computers after these two attacks, and decided to try a fairly cheap means - social engineering - in order to infect users relatively quietly at first,” said the head of the anti-virus research department at Kaspersky Lab. Vyacheslav Zakorzhevsky.

How to protect your computer from a virus?

Be sure to back up your system. If you use Kaspersky, ESET, Dr.Web or other popular analogues for protection, you should promptly update the databases. Also, for Kaspersky you need to enable “Activity Monitoring” (System Watcher), and in ESET you need to apply signatures with update 16295, informs talkdevice.

If you do not have antivirus programs, block execution of the files C:\Windows\infpub.dat and C:\Windows\cscc.dat. This is done through the Group Policy Editor or the AppLocker program for Windows.

Stop the service from running - Windows Management Instrumentation (WMI). Using the right button, enter the service properties and select the “Disabled” mode in the “Startup type”.

Back in the late 1980s, the AIDS virus (“PC Cyborg”), written by Joseph Popp, hid directories and encrypted files, requiring payment of about $200 for a “license renewal.” At first, ransomware was aimed only at ordinary people using computers running Windows, but now the threat itself has become a serious problem for businesses: more programs are appearing, they are becoming cheaper and more accessible. Extortion using malware is the main cyber threat in 2/3 EU countries. One of the most common ransomware viruses, CryptoLocker, has infected more than a quarter of a million computers in EU countries since September 2013.

In 2016, the number of ransomware attacks increased sharply—according to analysts, by more than a hundred times compared to the previous year. This is a growing trend, and, as we have seen, completely different companies and organizations are under attack. The threat is also relevant for non-profit organizations. Since for each major attack, malicious programs are upgraded and tested by attackers to “pass” anti-virus protection, anti-viruses are, as a rule, powerless against them.

On October 12, the Security Service of Ukraine warned about the likelihood of new large-scale cyber attacks on government agencies and private companies, similar to the June ransomware epidemic NotPetya. According to the Ukrainian intelligence service, “the attack can be carried out using updates, including publicly available application software.” Let us remember that in the case of an attack NotPetya, which researchers linked to the BlackEnergy group, the first victims were companies using software from the Ukrainian document management system developer M.E.Doc.

Then, in the first 2 hours, energy, telecommunications and financial companies were attacked: Zaporozhyeoblenergo, Dneproenergo, Dnieper Electric Power System, Mondelez International, Oschadbank, Mars, Nova Poshta, Nivea, TESA, Kiev Metro, computers of the Cabinet of Ministers and the Government of Ukraine, shops "Auchan", Ukrainian operators ("Kyivstar", LifeCell, "UkrTeleCom"), Privatbank, Boryspil airport.

A little earlier, in May 2017, the WannaCry ransomware virus attacked 200,000 computers in 150 countries. The virus spread through the networks of universities in China, factories of Renault in France and Nissan in Japan, telecommunications company Telefonica in Spain and railway operator Deutsche Bahn in Germany. Due to blocked computers in UK clinics, operations had to be postponed, and regional units of the Russian Ministry of Internal Affairs were unable to issue driver's licenses. Researchers said North Korean hackers from Lazarus were behind the attack.

In 2017, encryption viruses reached a new level: the use of tools from the arsenals of American intelligence services and new distribution mechanisms by cybercriminals led to international epidemics, the largest of which were WannaCry and NotPetya. Despite the scale of the infection, the ransomware itself collected relatively insignificant amounts - most likely these were not attempts to make money, but to test the level of protection of the critical infrastructure networks of enterprises, government agencies and private companies.

On October 24, Russian media, as well as transport companies and government agencies in Ukraine, were attacked by the Bad Rabbit ransomware. According to open sources, the victims include the Kiev metro, Odessa airport, the Ministry of Infrastructure of Ukraine, the editorial offices of Interfax and Fontanka.

According to the ESET virus laboratory, the attack on the Kiev metro used Diskcoder.D malware, a new modification of the encryptor known as Petya.

Information security specialists from Group-IB determined that the attack had been in preparation for several days. ESET warns that the ransomware penetrates the computer through a fake Adobe Flash plugin update. After that, it infects the PC and encrypts the files on it. Then a message appears on the monitor stating that the computer is locked, and to decrypt the files you need to go to the Bad Rabbit website - caforssztxqzf2nm.onion through the Tor browser.

The WannaCry and NotPetya ransomware epidemics have shown that it is necessary to promptly update installed programs and systems, as well as make backup copies, so as not to be left without important information after a virus attack.

However, if an infection occurs, experts from Group-IB do not recommend paying the ransom, because:

• in this way you help criminals;
• We have no evidence that the data of those who paid was restored.

How to protect your computer from Bad Rabbit infection?

To avoid becoming a victim of the new Bad Rabbit epidemic, Kaspersky Lab experts recommend doing the following:

For users of Kaspersky Lab antivirus solutions:

• Check whether the Kaspersky Security Network and Activity Monitor (aka System Watcher) components are enabled in your security solution. If not, be sure to turn it on.

For those who do not use Kaspersky Lab antivirus solutions.