The Bad Rabbit ransomware attack that hit Russia and Ukraine on Tuesday has been linked and considered to be a new variant of Petya. It bears similarities to the WannaCry and Petya outbreaks earlier this year.
The list of organizations reportedly hit by the Bad Rabbit ransomware includes Russian media outlets Interfax and Fontanka, the airport in Odessa, the Kiev subway, the State Aviation Service of Ukraine and the Transport Ministry of Ukraine.
Infected computers display a screen which says that their files have been encrypted and instructs them to access a website over the Tor anonymity network. Computers infected with the malware direct the user to a .onion Tor domain. The Tor site tells victims to pay 0.05 bitcoin, worth roughly $283, to obtain the key needed to recover the encrypted files. If the ransom is not paid within two days the price goes up.
Distribution of Bad Rabbit Ransomware:
The malware is still being analyzed but the initial analysis states that it spreads through fake flash player updates. The malicious file has been delivered from compromised websites in Denmark, Ireland, Bulgaria, Turkey and Russia.
Researchers pointed out that the victim has to manually launch the fake Flash installer in order to be affected.The file needs to obtain admin privileges which in turn causes Windows to display a User Account Control (UAC) prompt. Once executed, the dropper copies the main module (infpub.dat) to the Windows folder and executes it through rundll32.exe, a Windows component used to run code in DLL files.
The creator of Bad Rabbit appears to be a Game of Thrones fan as scheduled tasks have been given dragon names from the “Game of Thrones” TV show. These are used to execute other malware components and reboot the system. The ransom note is displayed in both text files dropped onto the system and via a bootlocker screen.
Bad Rabbit encryption:
Once it infects the system it encrypts over 100 file types which includes archives, backups, databases, images, documents, source code, and virtual disk images. The encrypted files are given a “.encrypted” extension. It also clears security logs and deletes the update sequence number (USN) so as file recovery can be prevented.
The attackers have used the AES-128-CBC cipher and an RSA-2048 public key. It’s still unclear whether files can be recovered without paying the ransom or not. However researchers confirmed that data encrypted by Bad Rabbit is recoverable with the right key.
Security researcher Amit Serper has come up with an early “vaccine” against the malware, which should inoculate systems from becoming infected. Step-by-step instructions with snaps are available on Cybereason’s website as well. Below are the steps :
- First, create these two files in c:\windows:
- You can do that really quickly by starting cmd.exe as an admin:
- Type the following commands:
echo “” > c:\windows\cscc.dat&&echo “” > c:\windows\infpub.dat
- Next, remove all their permissions by right clicking each file and selecting properties:
- Then select the security tab:
- Now click advanced
- Click change permissions
- Then, uncheck the “Include inheritable permissions from this object’s parents” box.
After you do that, a window will pop up. Click “remove”
- Remember to perform this action for the two files you created.
This technique has been confirmed as working by other security researchers, but Kaspersky suggests disabling the WMI service to prevent the spread of Bad Rabbit over a network. To do this, use the following steps:
- Press the Windows key and R simultaneously, type services.msc and press Enter.
- Locate the Windows Management Instrumentations entry, right click it and select Properties.
- Click the Stop button to stop the service, and from the Startup type drop-down menu select Disabled before clicking OK