Main Menu

Stay Connected

Join my mailing list and stay informed of all the lasted news and blog posts!

Get Social

Other sources did not include the U.S. yet, but that is just a matter of time. The outbreak started Tuesday and froze computer systems in several European countries. Department of Homeland Security’s Computer Emergency Readiness Team issued an alert saying it had received “multiple reports” of infections.

Russia’s Interfax news agency reported on Twitter that the outbreak shut down some of its servers, forcing Interfax to rely on its Facebook account to deliver news.

Bad Rabbit Starts With Social Engineering

The outbreak appears to have started via files on hacked Russian media websites, using the popular social engineering trick of pretending to be an Adobe Flash installer. The ransomware demands a payment of 0.05 bitcoin, or about $275, from its victim, You have just 40 hours to pay.

diskcoder 1024x687

This is NotPetya v2.0, much improved over the earlier version, and looks like it's the North Koreans again, who caused major disruptions to global corporations in June this year. Professionals at MalwareBytes blogged: "The code has many overlapping elements to the code of Petya/NotPetya, which suggests that the authors behind the attack are the same. Again, they tried to compose their malicious bundle out of stolen elements, however, the stolen Petya kernel has been substituted with a more advanced disk crypter in the form of a legitimate driver."

Bad Rabbit Screen Shot 2017 10 24

Encrypted data is recoverable after buying the key

It looks like the authors tried to improve upon previous mistakes and wrap up unfinished business. So far, it seems that in the current release, encrypted data is recoverable after buying the key, which means the BadRabbit attack is not as destructive as the previous one." They fixed a lot of bugs in the file encryption process.

Based on analysis by ESET, Emsisoft, and Fox-IT, Bad Rabbit uses Mimikatz to extract credentials from the local computer's memory, and along with a list of hard-coded credentials, it tries to access servers and workstations on the same network via SMB and WebDAV. 

MimiKatz is a well known tool to extract plaintexts passwords, hash, PIN code and kerberos tickets from memory, and can also perform pass-the-hash, pass-the-ticket or build Golden tickets, link to Github. As opposed to some public claims, Bad Rabbit does not use the EternalBlue vulnerability like the NotPetya outbreak. It does scan internal network for open SMB shares though.

The hardcoded creds are hidden inside the code and include predictable usernames such as root, guest and administrator, and passwords straight out of a worst passwords list. (Note To Self: all user passwords need to be strong, step all employees through a strong password training module ASAP.)

You need to buy two separate decryption keys

As for Bad Rabbit, the ransomware is a so-called disk coder, similar to Petya and NotPetya. Bad Rabbit first encrypts files on the user's computer and then replaces the MBR (Master Boot Record). This means you need to buy two keys, one for the bootloader and one for the files themselves. This basically bricks the machine. More technical background at bleepingcomputer.

How to Inoculate a machine if your endpoint software does not block Bad Rabbit

  • Block execution of the files c:\windows\infpub.dat and c:\Windows\cscc.dat.
  • Disable the WMI service (if it’s possible in your environment) to prevent the malware from spreading over your network.

Here are detailed instructions if you are in a hurry.

Leave your comments

Post comment as a guest

0
Your comments are subjected to administrator's moderation.
terms and condition.
  • No comments found

Site Disclaimer

thechrisbertschlogo

The content provided with this site is for article purposes only.
All images and content (C) the original authors.

Contact Me

Contact Me

I'm excited to hear from you!

You can contact me via my Contact Page. If you'd prefer to give me a ring you can always call me at: 6052901990

My Address

923 N Main St. Aberdeen, South Dakota, United States 57401

Get Social

Newsletter Subscribe