THE COMPUTER HEALER L.L.C OKEMOS, LANSING,MICHIGAN
  • Home
  • Business
  • Residential
  • Costumer Reviews
  • Data Recovery
  • Tips Blog
  • Android / Apple Devices Support
  • Flat-Rate / Rate list
  • Conference Calls
    • Cisco Webex
    • ConferenceCall
    • Uber Conference call
  • Virtual emulators
    • Virtual desktops
    • linksys GUIs
    • Dlink emulators
    • Netgear emulator
    • Trendnet emulators
  • Disclaimer
  • Contact Us
  • SBS 2011 Demo

Bad Rabbit: Ten things you need to know about the latest ransom-ware outbreak's the third major outbreak of the year - here's what we know so far.

10/26/2017

1 Comment

 

A new ransomware campaign has hit a number of high profile targets in Russia and Eastern Europe. Dubbed Bad Rabbit, the ransomware first started infecting systems on Tuesday 24 October, and the way in which organisations appear to have been hit simultaneously immediately drew comparisons to this year's WannaCry and Petya epidemics. Things you need to know about the latest ransomware outbreak. Following the initial outbreak, there was some confusion about what exactly Bad Rabbit is. Now the initial panic has died down, however, it's possible to dig down into what exactly is going on.

1. The cyber-attack has hit organisations across Russia and Eastern Europe Organisations across Russian and Ukraine -- as well as a small number in Germany, and Turkey -- have fallen victim to the ransomware. Researchers at Avast say they've also detected the malware in Poland and South Korea. Russian cybersecurity company Group-IB confirmed at least three media organisations in the country have been hit by file-encrypting malware, while at the same time Russian news agency Interfax said its systems have been affected by a "hacker attack" -- and were seemingly knocked offline by the incident. Other organisations in the region including Odessa International Airport and the Kiev Metro also made statements about falling victim to a cyber-attack, while CERT-UA, the Computer Emergency Response Team of Ukraine, also posted that the "possible start of a new wave of cyberattacks to Ukraine's information resources" had occurred, as reports of Bad Rabbit infections started to come in. At the time of writing, it's thought there are almost 200 infected targets and indicating that this isn't an attack like WannaCry or Petya was -- but it's still causing problems for infected organisations. "The total prevalence of known samples is quite low compared to the other "common" strains," said Jakub Kroustek, malware analyst at Avast.

2. It's definitely ransomware Those unfortunate enough to fall victim to the attack quickly realised what had happened because the ransomware isn't subtle -- it presents victims with a ransom note telling them their files are "no longer accessible" and "no one will be able to recover them without our decryption service".
​
Bad Rabbit ransom note. Image: ESET Victims are directed to a Tor payment page and are presented with a countdown timer. Pay within the first 40 hours or so, they're told, and the payment for decrypting files is 0.05 bitcoin -- around $285. Those who don't pay the ransom before the timer reaches zero are told the fee will go up and they'll have to pay more.
Bad Rabbit payment page. Image: Kaspersky Lab The encryption uses DiskCryptor, which is open source legitimate and software used for full drive encryption. Keys are generated using CryptGenRandom and then protected by a hardcoded RSA 2048 public key.

3. It's based on Petya/Not Petya If the ransom note looks familiar, that's because it's almost identical to the one victims of June's Petya outbreak saw. The similarities aren't just cosmetic either -- Bad Rabbit shares behind-the-scenes elements with Petya too. Analysis by researchers at Crowdstrike has found that Bad Rabbit and NotPetya's DLL (dynamic link library) share 67 percent of the same code, indicating the two ransomware variants are closely related, potentially even the work of the same threat actor.

4. It spreads via a fake Flash update on compromised websites The main way Bad Rabbit spreads is drive-by downloads on hacked websites. No exploits are used, rather visitors to compromised websites -- some of which have been compromised since June -- are told that they need to install a Flash update. Of course, this is no Flash update, but a dropper for the malicious install.A compromised website asking a user to install a fake Flash update which distributes Bad Rabbit. Image: ESET Infected websites -- mostly based in Russia, Bulgaria, and Turkey -- are compromised by having JavaScript injected in their HTML body or in one of their .js files.

5. It can spread laterally across networks... Much like Petya, Bad Rabbit comes with a potent trick up its sleeve in that it contains an SMB component which allows it to move laterally across an infected network and propagate without user interaction, say researchers at Cisco Talos. What aids Bad Rabbit's ability to spread is a list of simple username and password combinations which it can exploit to brute-force its way across networks. The weak passwords list consists of a number of the usual suspects for weak passwords such as simple number combinations and 'password'.

6. ... but it doesn't use EternalBlue MORE SECURITY NEWS Bad Rabbit: Ten things you need to know about the latest ransomware outbreak Kaspersky says NSA hacking tools obtained after malware was found Too many false alarms for population-wide facial surveillance: NEC After quietly infecting a million devices, Reaper botnet set to be worse than Mirai When Bad Rabbit first appeared, some suggested that like WannaCry, it exploited the EternalBlue exploit to spread. However, this now doesn't appear to be the case. "We currently have no evidence that the EternalBlue exploit is being utilized to spread the infection," Martin Lee, Technical Lead for Security Research at Talos told ZDNet.

7. It may not be indiscriminate At the same point following the WannaCry outbreak, hundreds of thousands of systems around the world had fallen victim to ransomware. However, Bad Rabbit doesn't appear to indiscriminately infecting targets, rather researchers have suggested that it only infects selected targets. "Our observations suggest that this been a targeted attack against corporate networks," said Kaspersky Lab researchers. Meanwhile, researchers at ESET say instructions in the script injected into infected websites "can determine if the visitor is of interest and then add content to the page" if the target is deemed suitable for infection. However, at this stage, there's no obvious reason why media organisations and infrastructure in Russia and Ukraine has been specifically targeted in this attack.

8. It isn't clear who is behind it At this time, it's still unknown who is distributing the ransomware or why, but the similarity to Petya has led some researchers to suggest that Bad Rabbit is by the same attack group -- although that doesn't help identify the attacker or the motive either, because the perpetrator of June's epidemic has never been identified.What marks this attack out is how it has primarily infected Russia - Eastern Europe cybercriminal organisations tend to avoid attacking the 'motherland', indicating this unlikely to be a Russian group.

9. It contains Game of Thrones references Whoever it behind Bad Rabbit, they appear to be a fan of Game of Thrones: the code contains references to Viserion, Drogon, and Rhaegal, the dragons which feature in television series and the novels it is based on. The authors of the code are therefore not doing much to change the stereotypical image of hackers being geeks and nerds.
References to Game of Thrones dragons in the code. Image: Kaspersky Lab

10. You can protect yourself against becoming infected by it At this stage, it's unknown if it's possible to decrypt files locked by Bad Rabbit without giving in and paying the ransom - although researchers say that those who fall victim shouldn't pay the fee, as it will only encourage the growth of ransomware. A number of security vendors say their products protect against Bad Rabbit. But for those who want to be sure they don't potentially fall victim to the attack, Kaspersky Lab says users can block the execution of file 'c: \ windows \ infpub.dat, C: \ Windows \ cscc.dat.' in order to prevent infection.

1 Comment
Victoria Landry link
7/14/2022 10:55:52 pm

Nice blog yoou have

Reply



Leave a Reply.

    Archives

    May 2021
    April 2021
    November 2020
    July 2020
    June 2020
    April 2020
    January 2019
    November 2018
    June 2018
    May 2018
    April 2018
    March 2018
    January 2018
    December 2017
    November 2017
    October 2017
    September 2017
    July 2017
    June 2017
    May 2017
    March 2017
    February 2017
    August 2014
    September 2012
    November 2011
    November 2010
    June 2010
    May 2010

    RSS Feed

    Legal Disclaimer:

    Thecomputerheale.com makes no claims about the efficacy of the information contained in the documents and related graphics published on this website for any purpose. All information, documents and graphics are provided "as is" without any kind of guarantee of effectiveness. Thecomputerhealer.com  hereby disclaims all responsibility for the manner in which the information offered on this website is used by you.

    In no event shall Thecomputerhealeronline.com be liable for any special, indirect or consequential damages or any damages whatsoever resulting from the loss of use, data or profits arising out of or in connection with the use or performance of information available from this website.

    The documents and related graphics published on this website may include technical inaccuracies or typographical errors. Changes are periodically added to the information on this website. Thecomputerhealer.com  reserves the right, at its discretion, to change or modify all or any part of this agreement and the content on website at any time, effective immediately upon publication of this notice.

    Your continued use of this website constitutes your binding acceptance of these terms and conditions, including any changes or modifications made by Thecomputerhealer.com as permitted above. If, at any time, the terms and conditions of this agreement are no longer acceptable to you, you should immediately cease using this website.
© 2021  The Computer Healer L.L.C     Call : 1-248-716-0788      for Onsite Certified Techs
  • Home
  • Business
  • Residential
  • Costumer Reviews
  • Data Recovery
  • Tips Blog
  • Android / Apple Devices Support
  • Flat-Rate / Rate list
  • Conference Calls
    • Cisco Webex
    • ConferenceCall
    • Uber Conference call
  • Virtual emulators
    • Virtual desktops
    • linksys GUIs
    • Dlink emulators
    • Netgear emulator
    • Trendnet emulators
  • Disclaimer
  • Contact Us
  • SBS 2011 Demo