It may be a harbinger of the third wave of ransomware viruses, according to Kaspersky Lab. The first two were the sensational WannaCry and Petya (aka NotPetya). Cybersecurity experts spoke to MIR 24 about the emergence of a new network malware and how to defend against its powerful attack.
Most of the victims of the Bad Rabbit attack are in Russia. On the territory of Ukraine, Turkey and Germany, there are much fewer of them, said the head of the anti-virus research department at Kaspersky Lab Vyacheslav Zakorzhevsky. Probably, the countries where users actively follow Russian Internet resources turned out to be the second most active.
When malware infects a computer, it encrypts files on it. It spreads via web traffic from hacked Internet resources, among which were mainly the websites of the federal Russian media, as well as computers and servers of the Kiev metro, the Ukrainian Ministry of Infrastructure, and the Odessa International Airport. An unsuccessful attempt to attack Russian banks from the top 20 was also recorded.
The fact that Fontanka, Interfax and a number of other publications were attacked by Bad Rabbit was reported yesterday by Group-IB, a company specializing in information security. Analysis of the virus code showed that Bad Rabbit is associated with the Not Petya ransomware, which in June this year attacked energy, telecommunications and financial companies in Ukraine.
The attack was prepared for several days and, despite the scale of the infection, the ransomware demanded relatively small amounts from the victims of the attack - 0.05 bitcoins (this is about 283 dollars or 15,700 rubles). You have 48 hours to redeem. After the expiration of this period, the amount increases.
Group-IB specialists believe that most likely the hackers have no intention of making money. Their likely goal is to test the level of protection of critical infrastructure networks of enterprises, government departments and private companies.
When a user visits an infected site, the malicious code sends information about the user to a remote server. Next, a pop-up window appears asking you to download the update for Flash Player, which is fake. If the user approved the "Install" operation, a file will be downloaded to the computer, which in turn will launch the Win32/Filecoder.D encoder in the system. Further, access to documents will be blocked, a ransom message will appear on the screen.
The Bad Rabbit virus scans the network for open network resources, after which it launches a tool for collecting credentials on the infected machine, and this "behavior" differs from its predecessors.
Experts from the international developer of antivirus software Eset NOD 32 have confirmed that Bad Rabbit is new modification Petya virus, the principle of which was the same - the virus encrypted information and demanded a ransom in bitcoins (the amount was comparable to Bad Rabbit - $ 300). The new malware fixes bugs in file encryption. The code used in the virus is designed to encrypt logical drives, external USB drives and CD/DVD images, as well as bootable system partitions disk.
Speaking about the audience that was attacked by Bad Rabbit, Head of Sales Support ESET Russia Vitaly Zemsky stated that 65% of the attacks stopped by the company's antivirus products fall on Russia. The rest of the geography of the new virus looks like this:
Ukraine - 12.2%
Bulgaria - 10.2%
Türkiye - 6.4%
Japan - 3.8%
others - 2.4%
"The ransomware uses a known software With open source called DiskCryptor to encrypt the victim's disks. The lock message screen that the user sees is almost identical to the Petya and NotPetya lock screens. However, this is the only similarity we have seen so far between the two malware. In all other aspects, BadRabbit is a completely new and unique type of ransomware,” says the CTO of Check Point Software Technologies. Nikita Durov.
Owners of operating systems other than Windows can breathe a sigh of relief as new ransomware virus makes vulnerable only computers with this "axis".
To protect against network malware, experts recommend creating the C:\windows\infpub.dat file on your computer, while setting its read-only rights - this is easy to do in the administration section. In this way, you will block the execution of the file, and all documents coming from outside will not be encrypted even if they turn out to be infected. In order not to lose valuable data in case of infection with a virus, make a backup (backup copy) now. And, of course, it is worth remembering that paying a ransom is a trap that does not guarantee you unlocking your computer.
Recall that the virus in May of this year spread to at least 150 countries around the world. He encrypted the information and demanded to pay a ransom, according to various sources, from 300 to 600 dollars. More than 200 thousand users suffered from it. According to one version, its creators took the US NSA malware Eternal Blue as a basis.
Alla Smirnova spoke with experts
Bad Rabbit is a ransomware encryption virus. It appeared quite recently and is aimed mainly at the computers of users in Russia and Ukraine, as well as partially in Germany and Turkey.
The principle of operation of ransomware viruses is always the same: once on a computer, a malicious program encrypts system files and user data, blocking access to the computer using a password. All that is displayed on the screen is the virus window, the requirements of the attacker and the account number to which he demands to transfer money to unlock. After the mass distribution of cryptocurrencies, it became popular to demand a ransom in bitcoins, since transactions with them are extremely difficult to track from the outside. So does Bad Rabbit. He exploits vulnerabilities operating system, in particular in Adobe Flash Player, and infiltrates under the guise of an update for it.
After being infected, BadRabbit creates a Windows folder the infpub.dat file, which creates the rest of the program files: cscc.dat and dispci.exe, which make their own changes to the MBR settings of the user's disk and create their own tasks like the Task Scheduler. This malware has its own website to pay the ransom, uses the DiskCryptor encryption service, encrypts using RSA-2048 and AE methods, and monitors all devices connected to this computer trying to infect them too.
According to Symantec, the virus received a low threat status, and according to experts, it was created by the same developers as the viruses discovered a couple of months before Bad Rabbit, NotPetya and Petya, since it has similar algorithms work. The Bad Rabbit ransomware first appeared in October 2017, and its first victims were the Internet newspaper Fontanka, a number of media outlets, and the website of the Interfax news agency. Beeline was also attacked, but the threat was averted in time.
Note: Fortunately, this moment programs to detect such threats are already more effective than before, and the risk of infection with this virus has decreased.
As in most cases of this type, to eliminate the threat, you can try to restore Windows bootloader. In the case of Windows 10 and Windows 8, to do this, you need to connect the installation distribution of the system to a USB or DVD, and, after booting from it, go to the "Fix your computer" option. After that, you need to go to "Troubleshooting" and select " command line».
Now it remains to enter the commands one by one, each time pressing Enter after entering the next command:
After the performed operations - exit and reboot. Most often this is enough to solve the problem.
For Windows 7, the steps are the same, only there "Command Prompt" is located in "Options system recovery» on the installation distribution.
To use this method, you must be logged in. safe mode with network support. It is with network support, not a simple Safe Mode. In Windows 10, this can be done again through the installation distribution. After booting from it, in the window with the "Install" button, you must press the key combination Shift + F10 and enter in the field:
bcdedit /set (default) safeboot network
In Windows 7, you can simply press F8 several times while turning on the computer and select this boot mode from the list in the menu that appears.
After entering Safe Mode, the main goal is to scan the operating system for threats. It is better to do this through time-tested utilities such as Reimage or Malwarebytes Anti-Malware.
For use this method you need to use the “Command line” again, as in the instructions above, and after launching it, enter cd restore and confirm by pressing Enter. After that, you need to enter rstrui.exe. The program window will open, in which you can return to the previous restore point before the infection.
The end of October this year was marked by the emergence of a new virus that actively attacked the computers of corporate and home users. New virus is a cipher and is called Bad Rabbit, which means bad rabbit. This virus attacked the websites of several Russian funds mass media. Later, the virus was also found in the information networks of Ukrainian enterprises. There were attacked information networks metro, various ministries, international airports and more. A little later, a similar virus attack was observed in Germany and Turkey, although its activity was significantly lower than in Ukraine and Russia.
A malicious virus is a special plug-in that, after it enters a computer, encrypts its files. Once the information has been encrypted, attackers try to get rewards from users for decrypting their data.
Experts from the ESET anti-virus development laboratory analyzed the algorithm of the virus propagation path and came to the conclusion that it is a modified virus that spread like the Petya virus not so long ago.
ESET laboratory experts have calculated that malicious plugins were distributed from the 1dnscontrol.com resource and the IP address IP5.61.37.209. Several more resources are also associated with this domain and IP, including secure-check.host, webcheck01.net, secureinbox.email, webdefense1.net, secure-dns1.net, firewebmail.com.
Specialists investigated that the owners of these sites registered many different resources, for example, those through which, using spam mailings, they try to sell counterfeit medicines. ESET specialists do not exclude that it was with the help of these resources, using spam and phishing, that the main cyber attack was carried out.
Specialists of the computer forensics laboratory investigated how the virus got on users' computers. It was found that in most cases the Bad Rabbit ransomware virus was distributed as an update to Adobe Flash. That is, the virus did not use any operating system vulnerabilities, but was installed by the users themselves, who, unaware of this, approved its installation, thinking that they were updating Adobe plugin flash. When the virus entered local network, it stole logins and passwords from the memory and independently spread to other computer systems.
After the ransomware virus has been installed on the computer, it encrypts the stored information. Next, users receive a message indicating that in order to access their data, they must make a payment on the specified dark web site. To do this, you first need to install a special Tor browser. For the fact that the computer will be unlocked, the attackers extort payment in the amount of 0.05 bitcoins. Today, at a price of $5,600 for 1 Bitcoin, this is approximately $280 for unlocking a computer. In order to make a payment, the user is given a time period equal to 48 hours. After this period, if the required amount has not been transferred to the attacker's electronic account, the amount increases.
Each of the computer users should remember that cybersecurity should come first when working on the network. Therefore, it is always necessary to ensure that only proven information resources and carefully use email And social media. It is through these resources that the dissemination is most often carried out. various viruses. Elementary rules of behavior in the information environment will eliminate the problems that arise during a virus attack.
Yesterday, October 24, 2017, major Russian media, as well as a number of Ukrainian government agencies, unknown intruders. Interfax, Fontanka, and at least one other unnamed online publication were among the victims. Following the media, problems were also reported international Airport"Odessa", Kiev Metro and the Ukrainian Ministry of Infrastructure. According to Group-IB analysts, the criminals also tried to attack banking infrastructures, but these attempts were unsuccessful. ESET specialists, in turn, claim that the attacks affected users from Bulgaria, Turkey and Japan.
As it turned out, disruptions in the work of companies and government agencies were not caused by massive DDoS attacks, but by a ransomware that goes by the name of Bad Rabbit (some experts prefer to write BadRabbit without a space).
Little was known about the malware and its mechanisms yesterday: it was reported that the ransomware was demanding a ransom of 0.05 bitcoins, and Group-IB experts said that the attack had been in preparation for several days. So, two JS scripts were found on the site of the attackers, and, judging by the information from the server, one of them was updated on October 19, 2017.
Now, although less than a day has passed since the attacks began, experts from almost all the leading information security companies in the world have already analyzed the ransomware. So, what is Bad Rabbit, and should we expect a new "ransomware epidemic" like WannaCry or NotPetya?
How did Bad Rabbit manage to disrupt the mainstream media if it was fake updates to Flash? According to ESET , Emsisoft And Fox IT, after infection, the malware used the Mimikatz utility to extract passwords from LSASS, and also had a list of the most common logins and passwords. The malware used all this to spread via SMB and WebDAV to other servers and workstations located on the same network as the infected device. At the same time, experts from the companies listed above and Cisco Talos employees believe that in this case there was no tool stolen from special services that uses gaps in SMB. Let me remind you that WannaCry viruses and NotPetya were distributed using this particular exploit.
However, experts still managed to find some similarities between Bad Rabbit and Petya (NotPetya). So, the ransomware does not just encrypt user files using the open-source DiskCryptor, but modifies the MBR (Master Boot Record), after which it reboots the computer and displays a ransom message on the screen.
Although the message with the demands of the attackers is almost identical to the message from the operators of NotPetya, the opinions of experts regarding the connection between Bad Rabbit and NotPetya differ slightly. Thus, Intezer analysts calculated that source malware
Greetings, dear visitors and guests of this blog! Today, another ransomware virus has appeared in the world by the name: bad rabbit» — « Evil rabbit". This is already the third sensational ransomware for 2017. The previous ones were (aka NotPetya).
So far, several Russian media have allegedly suffered from this ransomware - among them Interfax and Fontanka. Also about a hacker attack - possibly related to the same Bad Rabbit - reports the airport of Odessa.
For decrypting files, attackers demand 0.05 bitcoins, which at the current rate is approximately equivalent to 283 dollars or 15,700 rubles.
The results of the Kaspersky Lab study show that exploits are not used in the attack. Bad Rabbit spreads through infected websites: users download a fake Adobe Flash installer, manually run it, and thereby infect their computers.
According to Kaspersky Lab, experts are investigating this attack and are looking for ways to deal with it, as well as looking for the possibility of decrypting files affected by the ransomware.
Most of the victims of the attack are in Russia. It is also known that similar attacks occur in Ukraine, Turkey and Germany, but in much smaller numbers. Cryptographer bad rabbit spreads through a number of infected Russian media sites.
Kapersky Lab believes all signs point to this being a targeted attack on corporate networks. Methods are used similar to those that we observed in the ExPetr attack, but we cannot confirm the connection with ExPetr.
It is already known that Kaspersky Lab products detect one of the malware components using a cloud service. kaspersky security Network as UDS:DangerousObject.Multi.Generic and also with using System Watcher as PDM:Trojan.Win32.Generic.
In order not to become a victim of a new epidemic of "Bad Bunny", " Kaspersky Lab» We recommend doing the following:
If you have Kaspersky Anti-Virus installed, then:
For those who do not have this product:
Another very important tip from me:
Always do backup (backup - backup copy ) files that are important to you. On removable media, cloud services! It will save your nerves, money and time!
I wish you not to catch this infection on your PC. Clean and safe Internet for you!
