The BadRabbit virus functions as a new crypto threat that has managed to wreak havoc in Eastern Europe. It acts similarly to the infamous or ransomware that broke out in cyberspace a few months ago. Looking closer, although there are similarities and IT pros suspect that the developer may be the same, but the source code is very different.
At the moment, the number of victims is said to have exceeded 200 people. The developers seem to have a strong dislike for Russia and Ukraine, as those two countries have been hit the hardest. The main targets are the Odessa International Airport in Ukraine and several media corporations in Russia, including Interfax, Fontanka.ru, and others. In addition, the attack also spread to neighboring countries such as Turkey and Bulgaria.
Drive attack via fake Flash Player updates
The Adobe Flash Player product once again demonstrated the success of malware developers. The main malicious component of the program is disguised as a fake Flash update. The malware is downloaded as install_ flash_ player. exe file from corrupted sites. BadRabbit ransomware can also masquerade as alternative filenames.
As VirusTotal analysis shows, the threat may be hiding in a certain “uninstaller”. Fortunately, the infection is already being detected by most security applications. The malware exploits certain vulnerabilities in SMB servers, which explains why it is able to infiltrate servers.
After the Bad Rabbit invasion, the ransomware creates C:\ Windows\ infpub. date file. Hence, it generates the following files − C:\ Windows\ cscc. date and C:\ Windows\ dispci. exe. They are responsible for changing MBR settings. Interestingly, the malware offers links to Game of Thrones characters. The BadRabbit malware creates three tasks named after the three dragons in the series:
- C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
- cmd.exe /c schtasks /Delete /F /TN rhaegal
- cmd.exe /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR
- cmd.exe /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR:00
- C:\Windows\AF93.tmp"\
It also uses an open source encryption service called DiskCryptor. Later, it uses standard AE and RSA-2048 encryption methods. They are designed for various file formats. Because Petya.A does not add the file extension, but interferes with the Master Boot Record (MBR) settings.
It reboots the system and displays the same ransom note as NotPetya. It also directs victims to its unique payment site. He briefly informs them about the malware and demands a ransom of 0.05 BTC. Once the malware successfully infiltrates a system, it uses Mimikatz to obtain technical information about other devices that are visible on the same network.
The BadRabbit virus continues the Petya atrocity. 
Method 1. (Safe Mode)
Select "Safe Mode with Networking" 
Method 1. (Safe Mode)
Select "Enable Safe Mode with Networking" 
Select "Safe Mode with Command Prompt" 
Method 2. (System Restore)
Select "Enable Safe Mode with Command Prompt" 
Method 2. (System Restore)
Type "cd restore" without quotes and press "Enter" 
Method 2. (System Restore)
Type "rstrui.exe" without quotes and press "Enter" 
Method 2. (System Restore)
In the "System Restore" window that appears, select "Next" 
Method 2. (System Restore)
Select your restore point and click "Next" 
Method 2. (System Restore)
Click "Yes" and start system recovery ⇦ ⇨
Slide 1 from 10
For example, or will help you identify an infection. Such a tool can help you perform BadRabbit removal. Below you will find instructions on how to restore access to your computer. After that you will be able to remove Bad Rabbit virus.
Eliminating the Crypto Threat BadRabbit
Because of its specific working methods, it's no wonder why malware is called the next Petya. If you are experiencing this cyber misfortune, please follow the instructions below. Because the ransomware changes the MBR settings, you won't be able to boot your computer into safe mode right away. Follow the MBR reset instructions.
After that, restart your computer in safe mode, reactivate your security applications and remove BadRabbit virus. After scanning, start your computer in normal mode and repeat the procedure. This will confirm that the Bad Rabbit removal is complete. Please note that malware removal does not restore encoded files. Try restoring them from backups. Below you will find some suggestions.
On Windows 7:
- Insert Windows 7 DVD.
- Start DVD.
- Select language and keyboard settings. Click Further.
- Select your operating system, check Use recovery tools and click Further.
- Wait for the screen to appear System recovery options and select command line.
- Type the following commands and press Enter after each one: bootrec / rebuildbcd, bootrec / fixmbr, andbootrec / fixboot.
- Remove the installation DVD and restart your PC.
On Windows 8/10 systems:
- Insert the installation DVD or recovery USB drive.
- Choose an option Fixing your computer. Troubleshooting and go to command line.
- Enter the following commands one at a time and press Enter after each: bootrec / FixMbr, bootrec / Fixboot, bootrec / ScanOs, and bootrec / RebuildBcd.
- Remove DVD or USB recovery.
- Type exit and press Enter.
- Restart your PC.
The ransomware known as Bad Rabbit has attacked tens of thousands of computers in Ukraine, Turkey and Germany. But most of the attacks were against Russia. What kind of virus is this and how to protect your computer, we tell in our section "Question and Answer".
Who suffered in Russia from Bad Rabbit?
The Bad Rabbit ransomware began to spread on October 24th. Among the victims of his actions are the Interfax news agency and the Fontanka.ru publication.
The Kyiv metro and Odessa airport also suffered from the actions of hackers. After it became known about an attempt to hack the system of several Russian banks from the top 20.
By all indications, this is a targeted attack on corporate networks, since methods similar to those observed during the attack of the ExPetr virus are used.
The new virus makes one demand for everyone: a ransom of 0.05 bitcoins. In terms of rubles, this is about 16 thousand rubles. At the same time, he informs that the time for fulfilling this requirement is limited. For everything about everything, a little more than 40 hours are given. Further, the ransom fee will increase.
What is this virus and how does it work?
Have you already figured out who is behind its distribution?
It has not been possible to find out who is behind this attack. The investigation only led the programmers to the domain name.
Specialists of antivirus companies note the similarity of the new virus with the Petya virus.
But, unlike previous viruses of this year, this time the hackers decided to take a simpler path, according to 1tv.ru.
“Apparently, the criminals expected that in most companies users would update their computers after these two attacks, and decided to try a fairly cheap tool - social engineering, in order to infect users relatively quietly at first,” said the head of the anti-virus research department at Kaspersky Lab. Vyacheslav Zakorzhevsky.
How to protect your computer from a virus?
Be sure to back up your system. If you use Kaspersky, ESET, Dr.Web or other popular analogues for protection, you should promptly update the databases. Also, for Kaspersky, you need to enable "Activity Monitoring" (System Watcher), and apply signatures with update 16295 to ESET, talkdevice informs.
If you don't have antivirus programs, block the execution of C:\Windows\infpub.dat and C:\Windows\cscc.dat files. This is done through the Group Policy Editor or the AppLocker program for Windows.
Disable the service - Windows Management Instrumentation (WMI). Through the right button, enter the properties of the service and select the "Disabled" mode in the "Startup type".
The new encryption virus Bad Rabbit ("Bad Rabbit") on Tuesday attacked the sites of a number of Russian media. In particular, the information systems of the Interfax agency, as well as the server of the St. Petersburg news portal Fontanka, were attacked. In the afternoon, Bad Rabbit began to spread in Ukraine - the virus hit the computer networks of the Kyiv Metro, the Ministry of Infrastructure, and the Odessa International Airport. Similar attacks are observed in Turkey and Germany, although in much smaller numbers. TASS explains what kind of virus it is, how to protect yourself from it and who might be behind it.
Bad Rabbit is a ransomware virus
Malicious software infects a computer by encrypting files on it. To gain access to them, the virus offers to make a payment on the specified site in the dark web (this will require the Tor browser). For unlocking each computer, hackers demand to pay 0.05 bitcoins, that is, approximately 16 thousand rubles or $280. 48 hours are allotted for redemption - after the expiration of this period, the amount increases.
According to the Group-IB computer forensics laboratory, the ransomware virus tried to attack not only Russian media, but also Russian banks from the top 20, but it failed.
According to the ESET virus lab, the attack used Diskcoder.D malware, a new modification of the encoder known as Petya. The previous version of Diskcoder was released in June 2017. In Group-IB, that the Bad Rabbit virus could be written by the author of NotPetya (this is an updated version of "Petya" in 2016) or his follower.
"Malware distribution was carried out from the resource 1dnscontrol.com. It has IP 5.61.37.209, the following resources are associated with this domain name and IP address: webcheck01.net, webdefense1.net, secure-check.host, firewebmail.com, secureinbox. email, secure-dns1.net", - TASS in Group-IB. The company noted that a lot of resources were registered to the owners of these sites, for example, the so-called pharmaceutical affiliates - sites that sell counterfeit medicines through spam. "It is possible that they were used to send spam, phishing," the company added.
Bad Rabbit was distributed under the guise of an update to the Adobe Flash plugin
Users themselves approved the installation of this update and thus infected their computer. “There were no vulnerabilities at all, users themselves launched the file,” Sergey Nikitin, deputy head of the Group-IB computer forensics laboratory, said. Once in the local network, Bad Rabbit steals logins and passwords from memory and can be installed on other computers on its own.
The virus is easy enough to avoid
To protect themselves from Bad Rabbit infection, companies only need to block the specified domains for users of the corporate network. Home users should update Windows and their antivirus product so this file will be detected as malicious.
Users of the built-in antivirus of the Windows operating system - Windows Defender Antivirus - are already from Bad Rabbit. "We continue to investigate, and if necessary, we will take additional measures to protect our users," - TASS spokeswoman for Microsoft Corporation in Russia Kristina Davydova.
Kaspersky Lab has also prepared in order not to become victims of a new epidemic. The antivirus manufacturer advised everyone to make a backup (backup). In addition, the company recommended blocking the execution of the c:\windows\infpub.dat, C:\Windows\cscc.dat files, and also, if possible, prohibiting the use of the WMI service.
The Ministry of Telecom and Mass Communications believes that the attack on the Russian media was not targeted
"With all due respect to the big media, this is not a critical infrastructure object," Nikolai Nikiforov, the head of the Ministry of Communications and Mass Media, adding that the hackers were unlikely to pursue any specific goal. In his opinion, such attacks, in particular, are associated with a violation of security measures when connecting to the "open Internet". "Most likely, this information system (Interfax - TASS note) is not certified," the minister suggested.
The main wave of the spread of the virus has already ended
“Now we can talk about the cessation of the active spread of the virus, the third epidemic is almost over. Even the domain through which Bad Rabbit spread is no longer responding,” in Group-IB. According to Sergei Nikitin, isolated cases of virus infection are possible, in particular in corporate networks where logins and passwords have already been stolen, and the virus can install itself without user intervention. However, we can already talk about the end of the main wave of the third epidemic of the encryption virus in 2017.
Recall that in May, computers around the world were attacked by a virus. Information was blocked on infected computers, and the attackers demanded $600 in bitcoins to unlock the data. In June, another virus called Petya attacked oil, telecommunications and financial companies in Russia, Ukraine and some EU countries. The principle of its operation was the same: the virus encrypted information and demanded a ransom of $300 in bitcoins.
Greetings, dear visitors and guests of this blog! Today, another ransomware virus has appeared in the world by the name: bad rabbit» — « Evil rabbit". This is already the third sensational ransomware for 2017. The previous ones were (aka NotPetya).
Bad Rabbit - Who has already suffered and how much money does it require?
So far, several Russian media have allegedly suffered from this ransomware - among them Interfax and Fontanka. Also about a hacker attack - possibly related to the same Bad Rabbit - reports the airport of Odessa.
For decrypting files, attackers demand 0.05 bitcoins, which at the current rate is approximately equivalent to 283 dollars or 15,700 rubles.
The results of the Kaspersky Lab study show that exploits are not used in the attack. Bad Rabbit spreads through infected websites: users download a fake Adobe Flash installer, manually run it, and thereby infect their computers.
According to Kaspersky Lab, experts are investigating this attack and are looking for ways to deal with it, as well as looking for the possibility of decrypting files affected by the ransomware.
Most of the victims of the attack are in Russia. It is also known that similar attacks occur in Ukraine, Turkey and Germany, but in much smaller numbers. Cryptographer bad rabbit spreads through a number of infected Russian media sites.
Kapersky Lab believes that all signs point to this being a targeted attack on corporate networks. Methods are used similar to those that we observed in the ExPetr attack, but we cannot confirm the connection with ExPetr.
It is already known that Kaspersky Lab products detect one of the malware components using the Kaspersky Security Network cloud service as UDS:DangerousObject.Multi.Generic, as well as using System Watcher as PDM:Trojan.Win32.Generic.
How to protect yourself from the Bad Rabbit virus?
In order not to become a victim of a new epidemic of "Bad Bunny", " Kaspersky Lab» We recommend doing the following:
If you have Kaspersky Anti-Virus installed, then:
- Check if the components of Kaspersky Security Network and Activity Monitor (aka System Watcher) are enabled in your security solution. If not, be sure to turn it on.
For those who do not have this product:
- Block the execution of the file c:\windows\infpub.dat, C:\Windows\cscc.dat. This can be done via .
- Disable (if possible) the use of the WMI service.
Another very important tip from me:
Always do backup (backup - backup ) files that are important to you. On removable media, in cloud services! It will save your nerves, money and time!
I wish you not to catch this infection on your PC. Clean and safe Internet for you!
Bad Rabbit encryption virus or Diskcoder.D. attacks corporate networks of large and medium-sized organizations, blocking all networks.
Bad Rabbit or "bad rabbit" can hardly be called a pioneer - it was preceded by the Petya and WannaCry encryption viruses.
Bad Rabbit - what kind of virus
The distribution scheme of the new virus was investigated by experts from the anti-virus company ESET and found out that Bad Rabbit penetrated victims' computers under the guise of an Adobe Flash update for the browser.
The antivirus company believes that the Win32/Diskcoder.D encoder, dubbed Bad Rabbit, is a modified version of Win32/Diskcoder.C, better known as Petya/NotPetya, which hit the IT systems of organizations in several countries in June. The connection between Bad Rabbit and NotPetya is indicated by coincidences in the code.
The attack uses the Mimikatz program, which intercepts logins and passwords on the infected machine. Also in the code there are already registered logins and passwords for attempts to obtain administrative access.
The new malware fixes bugs in file encryption — the code used in the virus is designed to encrypt logical drives, external USB drives and CD/DVD images, as well as bootable system disk partitions. So, decryption experts will have to spend a lot of time to uncover the secret of the Bad Rabbit virus, experts say.
The new virus, according to experts, operates according to the standard scheme for cryptographers - getting into the system from nowhere, it encodes files, for the decryption of which hackers demand a ransom in bitcoins.
Unlocking one computer will cost 0.05 bitcoin, which is about $283 at the current rate. If the ransom is paid, the scammers will send a special key code that will allow you to restore the normal operation of the system and not lose everything.
If the user does not transfer funds within 48 hours, the ransom amount will increase.
But, it is worth remembering that paying the ransom can be a trap that does not guarantee unlocking the computer.
ESET notes that there is currently no connection between the malware and the remote server.
The virus hit Russian users the most, and companies in Germany, Turkey, and Ukraine to a lesser extent. The spread took place through infected media. Known infected sites are already blocked.
ESET believes that the attack statistics are largely consistent with the geographic distribution of sites containing malicious JavaScript.
How to protect yourself
Experts from Group-IB, which is engaged in the prevention and investigation of cybercrime, gave recommendations on how to protect yourself from the Bad Rabbit virus.
In particular, to protect against a network pest, you need to create a C:\windows\infpub.dat file on your computer, and set read-only rights for it in the administration section.
This action will block file execution, and all documents coming from outside will not be encrypted even if they are infected. You need to create a backup copy of all valuable data so that in case of infection you do not lose them.
Group-IB experts also advise blocking ip-addresses and domain names from which malicious files were distributed, and blocking pop-up windows for users.
We also recommend that you isolate computers in an intrusion detection system quickly. PC users should also check the currentness and integrity of backups of key network nodes and update operating systems and security systems.
"In terms of password policy: by group policy settings, prohibit the storage of passwords in LSA Dump in clear text. Change all passwords to complex ones," the company added.
predecessors
The WannaCry virus in May 2017 spread to at least 150 countries around the world. He encrypted the information and demanded to pay a ransom, according to various sources, from 300 to 600 dollars.
More than 200 thousand users suffered from it. According to one version, its creators took the US NSA malware Eternal Blue as a basis.
The global attack of the Petya ransomware virus on June 27 hit the IT systems of companies in several countries around the world, affecting Ukraine to a greater extent.
The computers of oil, energy, telecommunications, pharmaceutical companies, as well as government agencies were attacked. The cyber police of Ukraine stated that the attack of the ransomware virus occurred through the "M.E.doc" program.
Material prepared on the basis of open sources
