Curse of the Bad Rabbit – Ransomware

BadRabbit Ransomware

A new Ransomware threat has infected PC’s in Russia and multiple other countries stretching to the other side of the globe. Corporate systems at Interfax as well as two other Russian media companies seem to be first affected. But has been seen in Poland and South Korea.

In Ukraine, Odessa airport, the Kiev metro, and the Ministry of Infrastructure were also infected. It is the usual sign of a ransom for encrypted files.

The team at ESET. Antivirus have said this is a strain of the Diskcoder.

Screen shot of the BadRabbit ransomware (Source: Group-IB)

The software will pose as a false adobe flash update to seduce victims to installing the malware, the software would be installed by people visiting these websites according to IB-Group. There may be other websites that are infected.

https://twitter.com/GroupIB_GIB/status/922972032098291718

Once installed on a Windows PC, the malware will actually use a legit open-source tool: Mimikatz to seek out file server login details from the memory on the computer. The software will then spread via SMB shares on the same network.

There is some news to show that it has used a leaked CIA hacking tool as WannaCry did a few months back.

The Master Boot Record will be changed and this will display a start-up screen and not allow progress via this screen. The BadRabbit ransomware will also have a countdown till the price actually goes up. This will force companies and individuals to make a quick decision and possibly more likely to pay. Remember if you pay you are more likely to get attacked more often as the attackers know who pays.

The payment required is 0.05BTC which is just a little over £200.

Signs of infiltration

If you’ve had network connections to caforssztxqzf2nm.onion, or downloads from the following sites:

hxxp://1dnscontrol.com/flash_install.php

hxxp://1dnscontrol.com/install_flash_player.exe

are obvious signs of infiltration.

But the software might pop-up with a sign asking you to disable or stop current AV or malware protection. Some AV packages have spotted it already.

According to Kaspersky Lab, if you prevent these files from executing you should be able to disable BadRabbit from starting to run.

C:\Windows\infpub.dat

C:\Windows\cscc.dat

But you should check the Flash update you’re installing is legit even if you have Flash enabled.

Backing up and having a system image backed up regularly is one way to have a small amount of post-malware protection. But anti-malware software is one of the best remedies to protect yourselves. But checking updates are legit is the best way and not clicking on dodgy links!

Leave a Reply

Your email address will not be published. Required fields are marked *