Watership downtime: BadRabbit encrypts Russian media, Ukraine transport hub PCs

Ransomware breeds through Windows networks via SMB, fake Flash

Bad news from BadRabbit ... Screenshot of its ransom payment demand (Source: Group-IB)

Updated Computers at Russian media outlets and Ukraine's transport hubs were among Windows PCs infected and shut down today by another fast-spreading strain of ransomware.

Corporate systems within Interfax and two other major Russian news publishers had their files encrypted and held to ransom by malware dubbed BadRabbit. In Ukraine, Odessa airport, the Kiev metro, and the Ministry of Infrastructure were also hit by the extortionware, which demands Bitcoins to restore scrambled documents.

BadRabbit may also have spread to Turkey, Bulgaria and beyond, and is a variant of Diskcoder, according to researchers at ESET. Antivirus maker Avast detected it in Poland and South Korea, too.

"Interfax Group's servers have come under a hacker attack. The technical department is taking all measures to resume news services. We apologize for inconvenience," Interfax said in a statement.

The software nasty falsely posed as an Adobe Flash update to trick victims into installing it. The dodgy downloads were pushed to people visiting hacked media websites, according to Russian digital forensics biz Group-IB, which was first to spot the malware in the wild.

Once installed and running on a Windows PC, the evil code used the legit open-source Mimikatz tool to extract file server login credentials out of the computer's memory – as used by the NotPetya ransomware in June – and exploited those details, along with some hardcoded password guesses, to worm its way through SMB shares on victims' network.

BadRabbit also, in some cases, caused network intrusion detection systems to trigger alerts of EternalBlue while the software nasty scanned for services to infect, suggesting it may have leveraged the leaked NSA hacking tool to commandeer machines, just like the WannaCry malware did in May. Cisco's Talos team, though, said it had seen no evidence of the US agency's cyber-weapon in use.

After ciphering a system's files, the malware altered the master boot record on the boot drive, rebooted the computer, and rather than start up the operating system, it displayed a red-on-black screen. This informed the user their files were encrypted, and that they needed to buy a password from a .onion website hidden in the Tor network using crypto-coins – and then type said password into the infected PC to unlock the documents and allow the machine to boot as usual.

The name BadRabbit came from the heading at the top of the .onion payment webpage.

Animated GIF of the extortion message

Pwned ... How the ransom note appears on the .onion website (Source: Kaspersky Lab)

Group-IB noted that the miscreants behind the outbreak demanded 0.05 BTC ($286, £217) for the decryption password. This price would keep going up the longer a victim delayed paying the ransom.

BadRabbit used a legit program called DiskCryptor to cipher data on a victim's hard drive, according to UK security consultant Kevin Beaumont.

Analysis work is still ongoing. BadRabbit encrypted all kinds of files found on drives, from .7z archives to .java source code to .docx documents. There's a list of indicators here for you to check to ascertain whether or not you or your network has been infected – for example, network connections to caforssztxqzf2nm.onion, or downloads from...

hxxp://1dnscontrol.com/flash_install.php
hxxp://1dnscontrol.com/install_flash_player.exe

...are pretty big signs of infiltration.

It is believed at this stage BadRabbit wiped system logs and the filesystem journal, and connected to a command-and-control server after infection to coordinate its extortion.

ransomware

Please activate the anti-ransomware protection in your Windows 10 Fall Creators Update PC. Ta

READ MORE

It also dropped in a kernel-level key-logger to snoop on the victim's keypress, it was claimed.

Chris Doman, a security researcher at AlienVault who is probing the malware, said: "This wouldn't be the first time that an airport in Ukraine suffered a destructive cyber-attack and we are currently investigating to determine the strength of the links to the NotPetya attacks.

"There are reports that the mechanism involves using the tool Mimikatz to steal passwords to spread in a worm-like fashion but so far the damage does not seem as wide spread as WannaCry or NotPetya."

Various antivirus packages detect and stop BadRabbit, aka Diskcoder.D, before it can start up. Indeed, running the initial .exe may pop up a window asking you to disable any anti-malware software you have installed. According to Kaspersky Lab, if you prevent these files from executing...

C:\Windows\infpub.dat
C:\Windows\cscc.dat

...you should be able to disable BadRabbit from running. Also, not clicking on dodgy Adobe Flash updates as an administrator, or at all as any user, will help. Kaspersky has linked BadRabbit's developers to the miscreants behind the earlier NotPetya outbreak. ®


Biting the hand that feeds IT © 1998–2017