BadRabbit ransomware attacks multiple media outlets
25 October 2017 | 0
On Tuesday (24/10/2017), Russian media outlet Interfax said in a statement its servers were offline due to a virus attack. The news agency shifted reporting efforts to Facebook while it worked to recover.
A short time later, Russian security firm Group-IB posted a screenshot of the ransomware in action, calling it BadRabbit. Group-IB said at least three Russian media outlets were attacked, but only Interfax had been confirmed. Group-IB would not name any of the other victims.
According to the landing page for victims of BadRabbit, the decryption cost (ransom demand) is about $283 (€241) based on the current Bitcoin exchange rate.
What is known
It is self-propagating more than likely, spreading via fake Flash updates. ESET says that the false updates are coming from watering hole attacks on popular domains.
BadRabbit is a previously unknown family of ransomware, but it does share some code with Petya, so it is a variant of that ransomware family. Analysis shows that BadRabbit shares 13% of its code with Petya, but the key encryption functions are being handled by a legitimate encryption tool (DiskCryptor).
Based on the figures presented by ESET, initially, 65% of the victims were in Russia, followed by Ukraine (12.2%), Bulgaria (10.2%), Turkey (6.4%), and Japan (3.8%).
“It’s interesting to note that all these big companies were all hit at the same time. It is possible that the group already had foot inside their network and launched the watering hole attack at the same time as a decoy. Nothing says they fell for the “Flash update”. ESET is still investigating and we will post our finding as we discover them,” an ESET update explains.
Kaspersky says there were about “200 targets” so far, but don’t read into the usage of the word ‘target’ as there’s nothing to suggest that the victims were directly targeted. Likewise, there is nothing to suggest the attacks today were state-sponsored.
Detectiion and prevention tips
Kaspersky suggests preventing the following files from executing:
Another step is to disable the WMI service (if possible) which will limit the spread of malware. Kevin Beaumont, who has been previously mentioned in this article, also suggested blocking inbound SMB, use Credential Guard in Windows, monitor scheduled tasks and service creation, and control the number of admins on a given network.
On Pastebin, Christiaan Beek, lead scientist and principal engineer at McAfee, uploaded a Yara rule for those who need it.
Royce Williams has created a living document with links and information as it emerges and confirmed.
Microsoft has posted guidance for administrators as well, including a note to watch for IDs 1102 and 106 in the event log, which indicates the audit log has been cleared, and that scheduled tasks related to BadRabbit (with names taken from Game of Thrones) have been created.
Fake Flash update
According to an ESET researcher, BadRabbit is spreading via fake Flash updates and incorporates Mimikatz, an open source post-exploitation tool that helps attackers get a better foothold on a computer or network. In addition, the post linked it to the Petya family of ransomware.
The ESET researchers have said that in addition to the media outlets that were impacted, BadRabbit has also targeted several transportation and governmental organisations in Ukraine.
As previously reported by CERT-UA, Keib Metro, Odessa airport were infected. In addition, Ukrainian ministries of infrastructure and finance were also targeted. Public sources have also said a number of organisations in Russia have been affected.
ESET also reaffirmed that BadRabbit is a variant of Petya. The usage of Mimikatz is to extract credentials form affected systems. On Twitter, Dave Maasland, managing director of ESET Nederland, said the malware is using the Eternal Blue exploit to spread. However, the Eternal Blue detections might have been false positives.
According to their telemetry data, there have been hundreds of hits on the malware in Ukraine and Russia, as well as Turkey, Bulgaria, and other countries.
File types targeted
A McAfee researcher has released a list of file-types being targeted by BadRabbit, which include all the usual suspects, including Office formats and archive formats. The complete list was published by Christiaan Beek.
An analysis of the flash_install.php that was observed in attacks (this is an executable using the PHP filename when uploaded),has also been posted. In addition, it has been confirmed that the ransomware uses a legitimate tool (DiskCryptor) to encrypt the victim’s hard drive. (Credit: @IstaPee)
When it comes to credentials, BadRabbit is using a list of common hard-coded credentials including: Admin, Guest, User, boss, root, support, rdpadmin, work, backup, nas, nasuser, nasadmin, netguest, etc. (Credit: Maarten van Dantzig)
A full video of a BadRabbit attack has also been made available on ANY.RUN, which provides live malware analysis. (Hat Tip: Kevin Beaumont a.k.a. @GossiTheDog)
Kaspersky Lab is reporting many of the same infection locations as ESET, but Germany has also been added to the list.
US-CERT has issued an advisory on BadRabbit, reminding administrators to review Threat Advisories TA17-132A and TA17-181A. While it should go without saying, US-CERT has urged victims to not pay any ransom. Problem is, some will pay because they lack proper backups, or worse their backups were not properly managed and they too became encrypted.
ESET and Kaspersky continue to update the public on the status of BadRabbit, and other experts have been digging into the technical details, sharing mitigation and investigation strategies. Outside of Twitter, experts have also been posting technical details on the malware to public collection points, such as Alien Vault’s Threat Exchange.
On a somewhat related note, some administrators have expressed a desire to go after those responsible for ransomware infections like BadRabbit. It is an expected response, especially given all the ‘hack back’ talk that’s in the news.
The problem is, with ransomware, the source of the infection is hard to track given all the layers that exist in the marketplace responsible for ransomware. But if you are interested in recent developments on the topic of hacking back, CSO’s Fahmida Rashid recently posted a story legal hack back options using deception technologies.
Security vendor Avast has stated on Twitter that BadRabbit infections have spread to the US, however, the company could not provide any additional details or information, likely due to the time zone difference. When asked, McAfee’s Christiaan Beek, said his company has not seen any US infections, adding “let’s keep it that way.”
Also, some news outlets and security vendors have referenced the previously mentioned US-CERT advisory as supporting evidence that BadRabbit has infected systems in the US. This is not the case. All the advisory does is announce that BadRabbit is real, and encourage administrators to read the previously released threat advisories related to Petya and WannaCry.
McAfee and Cisco’s Talos have published blogs on BadRabbit. While they do not contain brand new information, they are interesting technical dives into the malware itself and worth a read if you’re following developments from all sides. Amit Serper, a security researcher at Cybereason has released a blog post detailing what is being called a vaccine for BadRabbit.
Researchers at Kaspersky have offered some new information. On Twitter, Costin Raiu said that the actors behind BadRabbit have been setting up their infection network since at least July 2017, listing a number of domains. Anton Ivanov, a malware analyst at Kaspersky, tweeted images that showing that BadRabbit is not a wiper, and actual decryption taking place.
Group-IB, the Russian security firm that first alerted the world to the existence of BadRabbit, has also released new information this evening. In a blog post, Group-IB released the Bitcoin wallet addresses of the actors responsible for Tuesday’s attacks. At the time this update was written, there were no transactions on either wallet.
Other details include the fact that at least some of the landing web site used by BadRabbit to collect ransom payments was updated as recently as 19 October. Based on additional examination, Group-IB found the same set of domains Salted Hash did, and speculated that the actor’s responsible for Tuesday’s mayhem used bulletproof hosting.
Finally, Group-IB has suggested a link between the BadRabbit and the Black Energy campaigns.
IDG News Service