The Bad Rabbit ransomware attacks users from Russia and Ukraine. Bad Rabbit: another ransomware virus

Hi all! Just the other day, a large-scale hacker attack new ransomware virus Bad Rabbit, also known as Diskcoder.D. Encryptor on this moment attacks corporate networks large and medium-sized organizations, blocking all networks. Today we will tell you what this Trojan is and how you can protect yourself from it.

What kind of virus?

Bad Rabbit operates according to a standard scheme for ransomware: once it enters the system, it encodes files, for decryption of which hackers demand 0.05 bitcoin, which at the exchange rate is $283 (or 15,700 rubles). This is reported in a separate window, where you actually need to enter the purchased key. The threat is a type of Trojan Trojan.Win32.Generic, however it also contains other components, such as DangerousObject.Multi.Generic And Ransom.Win 32.Gen.ftl.

Bad Rabbit new virus cryptographer

It is still difficult to completely trace all sources of infection, but experts are now working on this. Presumably, the threat reaches the PC through infected sites on which redirection is configured, or under the guise of fake updates for popular plugins like Adobe Flash. The list of such sites is only expanding.

Is it possible to remove a virus and how to protect yourself?

It’s worth mentioning right away that at the moment all anti-virus laboratories have begun analyzing this Trojan. If you specifically look for information on virus removal, then there is none as such. Let’s immediately discard the standard advice - make a backup of the system, a return point, delete such and such files. If you don’t have saves, then everything else doesn’t work; hackers, due to the specifications of the virus, have thought through such moments.

I think that decryptors for Bad Rabbit made by amateurs will soon be distributed - whether you use these programs or not is your own choice. As the previous Petya ransomware showed, this helps little.

But you can prevent the threat and remove it when you try to get into your PC. The first to respond to reports of a viral epidemic Kaspersky laboratories and ESET, which are already blocking intrusion attempts. Google Browser Chrome has also begun to detect infected resources and warn about their danger. Here's what you need to do to protect yourself from BadRabbit first:

1. If you use Kaspersky, ESET, Dr.Web, or other popular analogs for protection, then you must update the databases. Also, for Kaspersky you need to enable “Activity Monitor” (System Watcher), and in ESET apply signatures with update 16295.

   

2. If you do not use antiviruses, then you need to block file execution C:\Windows\infpub.dat And C:\Windows\cscc.dat. This is done through the Group Policy Editor or the AppLocker program for Windows.

It is advisable to disable the execution of the service - Windows Management Instrumentation (WMI). In the top ten the service is called "Tools Windows management” . Using the right button, enter the service properties and select “Startup type” mode “Disabled”.



3. Be sure to do backup copy your system. In theory, a copy should always be stored on the connected media. Here is a short video instruction on how to create it.

Conclusion

In conclusion, it is worth saying the most important thing - you should not pay the ransom, no matter what you have encrypted. Such actions only encourage scammers to create new ones. virus attacks. Monitor the forums of antivirus companies, who, I hope, will soon study the Bad Rabbit virus and find an effective pill. Be sure to follow the above steps to protect your OS. If you have any difficulties in completing them, please write in the comments.

Ransomware virus Bad Rabbit or Diskcoder.D. attacks corporate networks of large and medium-sized organizations, blocking all networks.

Bad Rabbit or “bad rabbit” can hardly be called a pioneer - it was preceded by the Petya and WannaCry encryption viruses.

Bad Rabbit - what kind of virus

Experts from the antivirus company ESET investigated the distribution scheme of the new virus and found that Bad Rabbit penetrated the victims’ computers under the guise of Adobe updates Flash for the browser.

The antivirus company believes that the Win32/Diskcoder.D encryptor, dubbed Bad Rabbit, is a modified version of Win32/Diskcoder.C, better known as Petya/NotPetya, which hit the IT systems of organizations in several countries in June. The connection between Bad Rabbit and NotPetya is indicated by matches in the code.

The attack uses the Mimikatz program, which intercepts logins and passwords on the infected machine. Also in the code there are already registered logins and passwords for attempts to gain administrative access.

The new malicious program corrects errors in file encryption - the code used in the virus is designed to encrypt logical drives, external USB drives and CD/DVD images, as well as bootable system disk partitions. So, decryption experts will have to spend a lot of time to uncover the secret of the Bad Rabbit virus, experts say.

The new virus, according to experts, operates according to a standard scheme for encryptors - entering the system from nowhere, it encodes files, for the encryption of which hackers demand a ransom in bitcoins.

Unlocking one computer will cost 0.05 bitcoin, which is about $283 at the current exchange rate. If the ransom is paid, the scammers will send a special key code that will allow you to restore normal operation of the system and not lose everything.

If the user does not transfer funds within 48 hours, the ransom amount will increase.

But it is worth remembering that paying a ransom may be a trap that does not guarantee the computer will be unlocked.

ESET notes that there is currently no connection between the malware and the remote server.

The virus most affected Russian users, and to a lesser extent, companies in Germany, Turkey and Ukraine. The spread occurred through infected media. Known infected sites have already been blocked.

ESET believes that attack statistics are largely consistent with the geographic distribution of sites containing malicious JavaScript.

How to protect yourself

Specialists from Group-IB, which is involved in the prevention and investigation of cybercrime, gave recommendations on how to protect yourself from the Bad Rabbit virus.

In particular, to protect against an online pest, you need to create the file C:\windows\infpub.dat on your computer, and set read-only rights for it in the administration section.

This action will block file execution, and all documents arriving from outside will not be encrypted even if they are infected. It is necessary to create a backup copy of all valuable data so that in case of infection you do not lose it.

Group-IB specialists also advise blocking IP addresses and domain names, from which malicious files were distributed, block pop-up windows for users.

It is also recommended to quickly isolate computers in an intrusion detection system. PC users should also ensure that backup copies of key network nodes are current and intact and that operating systems and security systems are updated.

"In terms of password policy: settings group policy prevent passwords from being stored in cleartext in LSA Dump. Change all passwords to complex ones,” the company added.

Predecessors

The WannaCry virus spread in at least 150 countries in May 2017. He encrypted the information and demanded to pay a ransom, according to various sources, from 300 to 600 dollars.

Over 200 thousand users were affected by it. According to one version, its creators took the US NSA Eternal Blue malware as a basis.

The global attack of the Petya ransomware virus on June 27 hit the IT systems of companies in several countries around the world, mostly affecting Ukraine.

Computers of oil, energy, telecommunications, pharmaceutical companies, as well as government agencies were attacked. The Ukrainian cyber police stated that the ransomware attack occurred through the M.E.doc program.

The material was prepared based on open sources

Yesterday, October 24, 2017, large Russian media, as well as a number of Ukrainian government agencies, were attacked by unknown attackers. Among the victims were Interfax, Fontanka and at least one other unnamed online publication. Following the media, Odessa International Airport, the Kiev Metro and the Ukrainian Ministry of Infrastructure also reported problems. According to a statement by Group-IB analysts, criminals also tried to attack banking infrastructure, but these attempts were unsuccessful. ESET specialists, in turn, claim that the attacks affected users from Bulgaria, Turkey and Japan.

As it turned out, disruptions in the work of companies and government agencies were caused not by massive DDoS attacks, but by a ransomware called Bad Rabbit (some experts prefer to write BadRabbit without a space).

Yesterday, little was known about the malware and the mechanisms of its operation: it was reported that the ransomware was demanding a ransom of 0.05 bitcoin, and Group-IB experts also said that the attack had been in preparation for several days. Thus, two JS scripts were discovered on the attackers’ website, and, judging by information from the server, one of them was updated on October 19, 2017.

Now, although not even a day has passed since the start of the attacks, the analysis of the ransomware has already been carried out by specialists from almost all the leading information security companies in the world. So, what is Bad Rabbit, and should we expect a new “ransomware epidemic” like WannaCry or NotPetya?

How did Bad Rabbit manage to cause major media outages when it was all about fake Flash updates? According to ESET , Emsisoft And Fox-IT, after infection, the malware used the Mimikatz utility to extract passwords from LSASS, and also had a list of the most common logins and passwords. The malware used all this to spread via SMB and WebDAV to other servers and workstations located on the same network as the infected device. At the same time, experts from the companies listed above and Cisco Talos employees believe that in this case, there was no tool stolen from the intelligence services that exploited flaws in SMB. Let me remind you that WannaCry viruses and NotPetya were distributed using this particular exploit.

However, experts still managed to find some similarities between Bad Rabbit and Petya (NotPetya). Thus, the ransomware not only encrypts user files using open source DiskCryptor, but modifies the MBR (Master Boot Record), after which it reboots the computer and displays a ransom message on the screen.

Although the message with the attackers' demands is almost identical to the message from the NotPetya operators, experts have slightly different opinions regarding the connection between Bad Rabbit and NotPetya. Thus, analysts at Intezer calculated that source malware

Third large-scale cyber attack in a year. This time, the virus has a new name, Bad Rabbit, and old habits: data encryption and extortion of money for unlocking. And Russia, Ukraine and some other CIS countries are still in the affected area.

The Bad Rabbit follows the usual pattern: it sends a phishing email with a virus or link attached. In particular, attackers may pose as Microsoft technical support and ask you to urgently open an attached file or follow a link. There is another distribution route - a fake Adobe update window. Flash Player. In both cases, Bad Rabbit acts in the same way as the sensational one not so long ago; it encrypts the victim’s data and demands a ransom of 0.05 bitcoin, which is approximately $280 at the exchange rate as of October 25, 2017. The victims of the new epidemic were Interfax, the St. Petersburg publication Fontanka, the Kiev Metropolitan, the Odessa airport and the Ministry of Culture of Ukraine. There is evidence that the new virus tried to attack several well-known Russian banks, but this idea failed. Experts link Bad Rabbit to previous major attacks recorded this year. Proof of this is the similar encryption software Diskcoder.D, and this is the same Petya encryptor, only slightly modified.

How to protect yourself from Bad Rabbit?

Experts recommend to owners Windows computers create a file "infpub.dat" and place it in Windows folder on drive "C". As a result, the path should look like this: C:\windows\infpub.dat. This can be done using a regular notepad, but with Administrator rights. To do this, find a link to the Notepad program, right-click and select “Run as Administrator”.

Then you just need to save this file to the address C:\windows\, that is, to the Windows folder on drive “C”. File name: infpub.dat, with “dat” being the file extension. Don't forget to replace the standard notepad extension "txt" with "dat". After you save the file, open the Windows folder, find the created infpub.dat file, right-click on it and select “Properties”, where at the very bottom you need to check the “Read Only” checkbox. This way, even if you catch the Bad Bunny virus, it will not be able to encrypt your data.

Preventive measures

Don’t forget that you can protect yourself from any virus simply by following certain rules. It may sound trivial, but never open emails, much less their attachments, if the address seems suspicious to you. Phishing emails, that is, masquerading as other services, are the most common method of infection. Be careful what you open. If in an email the attached file is called “Important document.docx_______.exe,” then you should definitely not open this file. In addition, you need to have backups important files. For example, a family archive with photographs or working documents can be duplicated on external drive or at cloud storage. Don't forget how important it is to use a licensed Windows version and install updates regularly. Security patches are released by Microsoft regularly and those who install them do not have problems with such viruses.

It may be a harbinger of the third wave of encryption viruses, Kaspersky Lab believes. The first two were the sensational WannaCry and Petya (aka NotPetya). Cybersecurity experts told MIR 24 about the emergence of a new network malware and how to protect against its powerful attack.

Most of the victims of the Bad Rabbit attack are in Russia. There are significantly fewer of them in Ukraine, Turkey and Germany, noted the head of the anti-virus research department at Kaspersky Lab. Vyacheslav Zakorzhevsky. Probably, the second most active countries were those countries where users actively monitor Russian Internet resources.

When malware infects a computer, it encrypts files on it. It is distributed using web traffic from hacked Internet resources, among which were mainly the sites of federal Russian media, as well as computers and servers of the Kyiv metro, the Ukrainian Ministry of Infrastructure, international airport"Odessa". An unsuccessful attempt to attack Russian banks from the top 20 was also recorded.

The fact that Fontanka, Interfax and a number of other publications were attacked by Bad Rabbit was reported yesterday by Group-IB, a company that specializes in information security. Analysis of the virus code showed that Bad Rabbit is associated with the Not Petya ransomware, which in June this year attacked energy, telecommunications and financial companies in Ukraine.

The attack was prepared for several days and, despite the scale of the infection, the ransomware demanded relatively small amounts from the victims of the attack - 0.05 bitcoin (that's about $283 or 15,700 rubles). 48 hours are allotted for redemption. After this period expires, the amount increases.

Group-IB specialists believe that, most likely, the hackers have no intention of making money. Their likely goal is to check the level of protection of critical infrastructure networks of enterprises, government departments and private companies.

It's easy to become a victim of an attack

When a user visits an infected site, malicious code transmits information about it to remote server. Next, a pop-up window appears asking you to download an update for Flash Player, which is fake. If the user approves the “Install” operation, a file will be downloaded to the computer, which in turn will launch the Win32/Filecoder.D encryptor on the system. Next, access to the documents will be blocked, and a ransom message will appear on the screen.

The Bad Rabbit virus scans the network for open network resources, after which it launches a tool on the infected machine to collect credentials and this “behavior” differs from its predecessors.

Specialists from the international developer of antivirus software Eset NOD 32 confirmed that Bad Rabbit is a new modification Petya virus, the operating principle of which was the same - the virus encrypted information and demanded a ransom in bitcoins (the amount was comparable to Bad Rabbit - $300). The new malware fixes errors in file encryption. The code used in the virus is designed to encrypt logical drives, external USB drives and CD/DVD images, as well as bootable system disk partitions.

Speaking about the audience that was attacked by Bad Rabbit, Head of Sales Support at ESET Russia Vitaly Zemskikh stated that 65% of attacks stopped by the company's antivirus products occurred in Russia. The rest of the geography of the new virus looks like this:

Ukraine – 12.2%

Bulgaria – 10.2%

Türkiye – 6.4%

Japan – 3.8%

others – 2.4%

"The ransomware exploits known software With open source called DiskCryptor to encrypt the victim's disks. The lock message screen that the user sees is almost identical to the Petya and NotPetya lock screens. However, this is the only similarity we have seen so far between the two malware. In all other aspects, BadRabbit is a completely new and unique type of ransomware,” says the technical director of Check Point Software Technologies. Nikita Durov.

How to protect yourself from Bad Rabbit?

Holders operating systems non-Windows users can breathe a sigh of relief, since the new ransomware virus makes only computers with this “axis” vulnerable.

To protect against network malware, experts recommend creating the file C:\windows\infpub.dat on your computer, and setting read-only rights for it - this is easy to do in the administration section. This way you will block file execution, and all documents arriving from outside will not be encrypted even if they are infected. To avoid losing valuable data in the event of a virus infection, make a backup copy now. And, of course, it is worth remembering that paying a ransom is a trap that does not guarantee that your computer will be unlocked.

Let us remind you that the virus spread in at least 150 countries around the world in May of this year. He encrypted the information and demanded to pay a ransom, according to various sources, from 300 to 600 dollars. Over 200 thousand users were affected by it. According to one version, its creators took the US NSA Eternal Blue malware as a basis.

Alla Smirnova spoke with experts