- October 26, 2017
- Posted by: Marina
- Categories: Cybersecurity, Malware
“On Tuesday morning, Oct. 24, 2017, organizations in Russia and Ukraine reported being hit with a ransomware outbreak that paralyzed their operations. Sporadic cases were also recorded in Turkey, Germany, Bulgaria and Japan, according to reports from different sources.
The malware, self-titled Bad Rabbit, is a ransomware code designed to encrypt and lock files on endpoints, then demand payment for their release. Bad Rabbit is also the name of a Dark Web site where victims are led to pay to have their files unlocked.
At the time of this writing, Bad Rabbit is understood to have mostly hit organizations in Russia. More specifically, it is breaking out on media outlets in the country. In statements delivered by some of the affected entities, it was reported that servers were down due to the ongoing attack.
In Ukraine, the attack hit critical infrastructure organizations in the transport sector. One of the victims is the Odessa airport, which is located in the third-largest city in the country, causing flight delays due to manual processing of passenger data. Ukraine also saw its subway system affected, causing payment delays on customer service terminals, although trains continued to run normally.
Bad Rabbit is the third disruptive ransomware outbreak this year, following the WannaCry and NotPetyaworms that affected numerous organizations in the second quarter of 2017. That being said, Bad Rabbit’s propagation technique is not based on the same exploits, which may make it easier to contain overall.
The Propagation of Bad Rabbit
Based on currently available information, unlike most financially motivated ransomware, Bad Rabbit does not spread via email. According to IBM X-Force, which analyzes billions of spam and malspam messages, Bad Rabbit was not sent in an email campaign. Some voices in the security community reckon that the outbreak is a targeted attack that may have been months in the making, but that’s yet to be confirmed.
To reach user endpoints, Bad Rabbit’s operators compromised news and media sites to have visitors redirected to malicious landing pages they control. On those pages, users were advised to install an Adobe Flash update, at which point a malicious download took place, delivering the malware dropper in what’s called a drive-by attack — not requesting any action to drop a file into the endpoint.
Those who went ahead and executed the file unknowingly unleashed the malware on their endpoints and saw their files encrypted. The malware operators’ note demands 0.05 BTC in ransom to unlock the files.
According to information from the security community, websites used to propagate the malware were hosted on the same servers that were used for distributing the NotPetya malware in June 2017. That network of predetermined websites was apparently being set up over time since July 2017.
A noteworthy mention by one security vendor reported that all companies were infected around the same time. That vendor speculated that attackers might already be in some of the victims’ systems. In that case, would the attackers not be able to launch the malware directly?
This question raises another option: Is it possible that at least one targeted email was sent to each victim with a lure to get them to one of the infected media sites in a watering hole-style attack? Once there was one infected user, the malware could have propagated onward from patient zero.
Moving Through Networks
Bad Rabbit spreads across networks using some tools to help it get to additional endpoints. According to IBM X-Force, the malware uses a Windows SMB feature, but it is unrelated to the method previously used by the EternalBlue exploit. Our researchers are also seeing the malware issue HTTP OPTIONS requests on port 80 for /admin$, suggesting the use of WebDAV as part of the scheme.
Moreover, Bad Rabbit appears to leverage the Mimikatz tool — which was built as a testing tool and not for malicious purposes, but is often used by attackers nonetheless — to retrieve the passwords of other users on the network. The malware also had some basic hardcoded passwords. Oddly enough, those were supposedly the most popular passwords used, according to the 1995 movie “Hackers.”
Payment Demand
Bad Rabbit demands 0.05 BTC in ransom to release the lock placed on encrypted files. At the time of this writing, 1 BTC goes for approximately $5,450, meaning that the initial ransom demand would be roughly $273. The ransom note appears on the infected endpoint’s screen, directing the user to access a dedicated web service.
Once on the attacker’s website, which is hosted on the Tor network to keep the communication anonymized, the victim is warned that he or she only has about 41 hours to pay. The victim is then shown a countdown clock that awaits a “password” — the decryption key to unlock his or her files. At the time of this notice, it has not been confirmed that the attackers can indeed decrypt the files.”
For full article please see SecurityIntelligence
Featured image from original article.