BadRabbit Ransomware Attacks Hitting Russia, Ukraine

A ransomware attack has put a halt to business inside a handful of Russian media outlets and a number of major organizations in the Ukraine, including Kiev’s public transportation system and the country’s Odessa airport.

The attacks are known as Bad Rabbit and harken back to the ExPetr/NotPetya attacks of this summer which also concentrated in Ukraine and Russia, but instead spread wiper malware used in the Petya attacks of 2016.

Today’s outbreak is spreading via drive-by download attacks from legitimate news sites, according to researchers at Kaspersky Lab who published an analysis on Securelist. Russia’s Interfax is one such agency reporting its services are down because of the attack. Host sites are infected with a dropper in the guise of a phony Adobe Flash Player installer. Kaspersky Lab said it has observed victims in Turkey and Germany as well, counting almost 200 targets.

There are no exploits involved in this attack, Kaspersky Lab said, and victims must manually launch the downloaded file named install_flash_player.exe. The executable requires elevated privileges to run, and uses a Windows UAC prompt to obtain them, again with the victim’s permission. If the executable runs as expected, it grabs a file-encrypting malware called infpub.dat, Kaspersky Lab said, adding that the file may be capable of brute-forcing NTLM login credentials for Windows machines with pseudorandom IP addresses.

“This ransomware infects devices through a number of hacked Russian media websites. Based on our investigation, this has been a targeted attack against corporate networks, using methods similar to those used during the ExPetr attack,” Kaspersky Lab said in a statement. “However, we cannot confirm it is related to ExPetr. We continue our investigation.”

ExPetr emerged in late June and was quickly scrutinized as more dangerous than WannaCry, which spread globally just a month earlier. Like WannaCry, the attackers behind ExPetr used the leaked NSA exploit EternalBlue to spread the malware. In the early hours of the attack, Danish shipping giants Maersk and Russian oil company Rosneft were reporting infections and impacts to their respective businesses. It was eventually determined that ExPetr was not a ransomware attack, but a wiper.

The infpub.dat file prominent in today’s attack will also install another malicious executable called dispci.exe. It creates tasks in the registry to launch the executable; the tasks are named after the dragons in Game of Thrones: Viserion, Drogon and Rhaegal. There’s also a reference to a Game of Thrones character GrayWorm in the code.

“The executable dispci.exe appears to be derived from the code base of the legitimate utility DiskCryptor,” Kaspersky Lab said. “It acts as the disk encryption module which also installs the modified bootloader and prevents the normal boot-up process of the infected machine.”

DiskCryptor is a freely available open source full disk encryption system for Windows, and can be used to encrypt a hard drive or partitions.

Victims are presented with a ransom demand of 0.05 Bitcoin, a timer counting down toward an hour when the price goes up.

Researchers at ESET, meanwhile, have said that the disk encryption executable can be spread via SMB. The Mimikatz pen-testing tool is also aunched on the compromised machine and steals credentials in addition to a list of hardcoded usernames and passwords.

Source: ThreatPost

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivity, communication, continuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101, use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!