When the news of the third major ransomware outbreak of the year came, there was a lot of confusion. Now that the dust has settled, we can delve into what exactly “Bad Rabbit” is.
According to media reports, many computers have been encrypted with this cyberattack. Public sources have confirmed that the computer systems of the Kyiv metro along with Odessa Airport and numerous other organizations in Russia have been affected. The malicious software used for this cyberattack was “Disk Coder.D”, a new variant of ransomware that was popularly run under the name “Petya”. Disk Coder’s previous cyberattack caused worldwide damage in June 2017.
ESET’s telemetry system has reported numerous Disk Coder occurrences. In Russia and Ukraine, however, there are reports of this cyberattack on computers in Turkey, Bulgaria and some other countries as well.
ESET security researchers are currently working on a thorough analysis of this malware. According to its preliminary findings, Disk Coder. D uses the Mimikatz tool to extract credentials from affected systems. Your findings and analysis are ongoing, and we will keep you posted as soon as more details are revealed.
ESET’s telemetry system also reports that Ukraine accounts for only 12.2% of the total number of times they saw Bad Rabbit infiltration. The following statistics are shown below:
As a result, Bad Rabbit compromised the distribution of countries. Interestingly, all of these countries were affected at the same time. It is very likely that the group already had a foothold in the network of affected organizations.
It is definitely a ransomware
Those who were unlucky enough to be the victims of the attack quickly realized what had happened because the ransomware is not subtle: it presents the victims with a rescue note telling them that their files are “no longer accessible” and “no one will be able to retrieve them without our decryption service.” Victims go to a Tor payment page and are presented with a countdown timer. You pay for the first 40 hours or so, they say, and the payment for decrypting files is 0.05 bitcoins, about $ 285. Those who do not pay the ransom before the timer reaches zero are told that the rate will increase and they will have to pay more. Encryption uses DiskCryptor, which is legitimate open source and software used for full drive encryption. Keys are generated using CryptGenRandom and then protected with a hard-coded RSA 2048 public key.
It is based on Petya / Not Petya
If the rescue note sounds familiar, it’s because it’s almost identical to what the victims of the June Petya outbreak saw. The similarities are not only aesthetic: Bad Rabbit also shares elements behind the scenes with Petya.
Crowdstrike researchers’ analysis found that Bad Rabbit and NotPetya’s DLL (dynamic link library) share 67 percent of the same code, indicating that the two ransomware variants are closely related, possibly even the work of the threat actor himself.
The attack has affected high-profile organizations in Russia and Eastern Europe
Researchers have found a long list of countries that have fallen victim to the outbreak, such as Russia, Ukraine, Germany, Turkey, Poland and South Korea. Three Russian media organizations, as well as the Russian news agency Interfax, have claimed that malware to encrypt files or “hacker attacks” has been taken offline by the campaign. Other high-profile organizations in the affected regions include Odessa International Airport and the Kyiv subway. This has led Ukraine’s Computer Emergency Response to publish that there has been a “possible start of a new wave of cyber attacks on Ukraine’s intelligence resources.”
You may have selected goals
When WannaCry broke down, systems around the world were hit by an apparent indiscriminate attack. Bad Rabbit, on the other hand, could have targeted corporate networks.
ESET researchers have supported this idea, stating that the script injected into infected websites can determine if the visitor is of interest and then add the content page, if the target is considered suitable for infection.
It spreads through a fake Flash update on compromised websites
It can be spread laterally through the nets
Like Petya, the Bad Rabbit Ransomware attack contains an SMB component that allows it to move sideways through an infected network and spread without user interaction.
The spread of Bad Rabbit is made easy by simple combinations of username and password that you can use to force yourself through the networks. This list of weak passwords is the ones that are often seen as easy-to-guess passwords, such as 12345 combinations or having a password set as “password”.
Don’t use EternalBlue
When Bad Rabbit first appeared, some suggested that, like WannaCry, it took advantage of the exploitation of EternalBlue to spread. However, now it seems that this is not the case. “We currently have no evidence that EternalBlue is being used to spread the infection,” Martin Lee, Taos’ chief technical officer for security research, told ZDNet.
Contains Game of Thrones references
Whoever is behind Bad Rabbit seems to be a fan of Game of Thrones: the code contains references to Viserion, Drogon and Rhaegal, the dragons that appear in the TV series and the novels on which it is based. So the authors of the code are not doing much to change the stereotypical image of hackers as geeks and nerds.
There are steps you can take to stay safe
At this time, no one knows if it is still possible to decrypt files blocked by Bad Rabbit. Some might suggest paying the ransom and see what happens … Bad idea.
It is quite reasonable to think that paying almost $ 300 is worth paying for what can be very important and invaluable files, but paying the ransom almost never allows you to regain access, or help fight ransomware: an attacker will keep aiming while they are seeing returns.
Several security vendors say their products protect against Bad Rabbit. But for those who want to make sure they can’t be victims of the attack, Kaspersky Lab says that users can block the execution of the file ‘c: windows infpub.dat, C: Windows cscc.dat ‘. in order to prevent infection.