When news of the third major ransomware outbreak of the year broke, there was a lot of confusion. Now that the dust has settled, we can investigate what exactly “Bad Rabbit” is.
According to media reports, many computers have been encrypted with this cyberattack. Public sources have confirmed that the computer systems of the Kiev Metro together with the Odessa airport and numerous other organizations in Russia have been affected. The malware used for this cyberattack was “Disk Coder.D”, a new variant of ransomware popularly known as “Petya”. The previous Disk Coder cyberattack left damage on a global scale in June 2017.
ESET’s telemetry system has reported numerous occurrences of Disk Coder. D within Russia and Ukraine, however, there are detections of this cyberattack on computers from Turkey, Bulgaria, and some other countries as well.
ESET security researchers are currently working on a comprehensive analysis of this malware. According to its preliminary findings, Disk Coder. D uses the Mimikatz tool to extract the credentials of the affected systems. Their findings and analysis are ongoing, and we’ll keep you posted as soon as more details are revealed.
ESET’s telemetry system also reports that Ukraine accounts for only 12.2% of the total number of times they saw the Bad Rabbit infiltration. Below are the remaining statistics:
Consequently, Bad Rabbit compromised the country distribution. Interestingly, all of these countries were affected at the same time. It is very likely that the group already had its foot within the network of affected organizations.
It’s definitely ransomware
The unfortunate victims of the attack quickly realized what had happened because the ransomware is not subtle: it presents victims with a ransom note telling them that their files are “no longer accessible” and “no one will be able to recover them without us. decryption service “. Victims are directed to a Tor payment page and presented with a countdown timer. Pay within the first 40 hours or so, they are told, and the payment for decrypting files is 0.05 bitcoin, about $ 285. Those who do not pay the ransom before the timer reaches zero are told that the fee will increase and they will have to pay more. The encryption uses DiskCryptor, which is legitimate open source software used for full drive encryption. Keys are generated by CryptGenRandom and then protected by an encrypted RSA 2048 public key.
It is based on Petya / Not Petya
If the ransom note looks familiar, it’s because it’s nearly identical to the one that victims of the Petya outbreak saw in June. The similarities aren’t just cosmetic either: Bad Rabbit also shares behind-the-scenes elements with Petya.
Analysis by Crowdstrike researchers has found that Bad Rabbit and the NotPetya DLL (dynamic link library) share 67 percent of the same code, indicating that the two ransomware variants are closely related, potentially even the work of the same threat actor.
The attack has affected high-profile organizations in Russia and Eastern Europe.
Researchers have found a long list of countries that have fallen victim to the outbreak, including Russia, Ukraine, Germany, Turkey, Poland, and South Korea. Three media organizations in Russia, as well as the Russian news agency Interfax, have declared “hacker attacks” or file encryption malware, which the campaign has taken offline. Other high-profile organizations in the affected regions include Odessa International Airport and the Kiev Metro. This has led Ukraine’s Computer Emergency Response to publish that there had been “the possible start of a new wave of cyberattacks on Ukraine’s information resources.”
May have had selected goals
When WannaCry broke, systems around the world were hit by an apparent indiscriminate attack. Bad Rabbit, on the other hand, could have targeted corporate networks.
ESET researchers have backed this idea, stating that the script injected into infected websites can determine if the visitor is of interest and then add the content page, if the target is deemed suitable for infection.
It is spread through a fake Flash update on compromised websites.
It can be spread laterally through nets.
Like Petya, the Bad Rabbit Ransomware attack contains an SMB component that allows it to move laterally through an infected network and spread without user interaction.
The spread of Bad Rabbit is facilitated by simple username and password combinations that it can exploit to make its way across networks. This list of weak passwords is the easy-to-guess passwords you often see, such as 12345 combinations or having a password set as “password.”
Does not use EternalBlue
When Bad Rabbit first appeared, some suggested that, like WannaCry, it exploited the EternalBlue exploit to spread. However, this does not seem to be the case now. “We currently have no evidence that the EternalBlue exploit is being used to spread the infection,” Martin Lee, Head of Security Research Technician at Talos, told ZDNet.
Contains Game of Thrones references.
Whoever is behind Bad Rabbit appears to be a Game of Thrones fan – the code contains references to Viserion, Drogon, and Rhaegal, the dragons that appear in the television series and novels it is based on. Therefore, the authors of the code are not doing much to change the stereotypical image that hackers are geeks and nerds.
There are steps you can take to stay safe
At this time, no one knows if it is still possible to decrypt files that are locked by Bad Rabbit. Some might suggest paying the ransom and seeing what happens … Bad idea.
It is quite reasonable to think that paying almost $ 300 is worth paying for what could be very important and invaluable files, but paying the ransom almost never results in regaining access, nor does it aid in the fight against ransomware – an attacker will keep targeting as long as as they see the returns.
Several security vendors say their products protect against Bad Rabbit. But for those who want to be sure that they are not victims of the attack, Kaspersky Lab says that users can block the execution of the file ‘c: windows infpub.dat, C: Windows cscc.dat’. to prevent infection.