BadRabbit ransomware attacks multiple media outlets

On Tuesday, Russian media outlet Interfax said in a statement their servers were offline due to a virus attack. The news agency shifted their reporting efforts to Facebook while they work to recover.

A short time later, Russian security firm Group-IB posted a screenshot of the ransomware in action, calling it BadRabbit. Group-IB said at least three Russian media outlets were attacked, but only Interfax has been confirmed. Group-IB would not name any of the other victims.

According to the landing page for victims of BadRabbit, the decryption cost (ransom demand) is about $283 based on the current Bitcoin exchange rate.

This story is developing, and additional updates will be posted below.

What is known about BadRabbit:

It’s self-propagating more than likely, spreading via fake Flash updates. ESET says that the false updates are coming from watering hole attacks on popular domains.

It’s a previously unknown family of ransomware, but it does share some code with Petya, so it’s a variant of that ransomware family. Analysis shows that BadRabbit shares 13-percent of its code with Petya, but the key encryption functions are being handled by a legitimate encryption tool (DiskCryptor).

Based on the figures presented by ESET at the time this update was posted, 65-percent of the victims today were in Russia, followed by Ukraine (12.2%), Bulgaria (10.2%), Turkey (6.4%), and Japan (3.8%).

“It’s interesting to note that all these big companies were all hit at the same time. It is possible that the group already had foot inside their network and launched the watering hole attack at the same time as a decoy. Nothing says they fell for the “Flash update”. ESET is still investigating and we will post our finding as we discover them,” an ESET update explains.

Kaspersky says there were about “200 targets” so far, but don’t read into the usage of the word ‘target’ as there’s nothing to suggest that the victims were directly targeted. Likewise, there is nothing to suggest the attacks today were state-sponsored.

Tips for detecting BadRabbit and preventing it:

Kaspersky suggests preventing the following files from executing:

c:Windowsinfpub.dat

c:Windowscscc.dat

Another step is to disable the WMI service (if possible) which will limit the spread of malware. Kevin Beaumont, who has been previously mentioned in this article, also suggested blocking inbound SMB, use Credential Guard in Windows, monitor scheduled tasks and service creation, and control the number of admins on a given network.

On Pastebin Christiaan Beek uploaded a Yara rule for those who need it.

Royce Williams has created a living document with links and information as it emerges and confirmed.

Microsoft has posted guidance for administrators as well, including a note to watch for IDs 1102 and 106 in the event log, which indicates the audit log has been cleared, and that scheduled tasks related to BadRabbit (with names taken from Game of Thrones) have been created.

Update: 10/24/17 11:35 a.m.

According to an ESET researcher, BadRabbit is spreading via fake Flash updates and incorporates Mimikatz, an open source post-exploitation tool that helps attackers get a better foothold on a computer or network. In addition, the post linked it to the Petya family of ransomware.

Earlier this morning, CERT-UA (Ukraine) alerted the public of the possible start of a new wave of cyberattacks to the country’s information resources. It isn’t clear if the warning is related to BadRabbit, but the advisory referenced incidents at Odessa airport and Kiev subway.

On October 13, CERT-UA warned the public of possible Ransomware attacks leveraging variants of Petya-A, the malware responsible for massive infections across the globe this past June.

Update: 10/24/17 11:45 a.m.

Based on samples that have been submitted to VirusTotal, several security vendors, including ESET, Kaspersky, Symantec, Check Point, and Palo Alto Networks are detecting BadRabbit in some form. The number of detections is only expected to grow as the day moves forward. Also, Windows Defender is said to be flagging parts of the malware.

Update: 10/24/17 11:57 a.m.

According to researchers at ESET, in addition to the media outlets that were impacted, BadRabbit has also targeted several transportation and governmental organizations in Ukraine.

As previously reported by CERT-UA, Keib Metro, Odessa airport were infected. In addition, Ukrainian ministries of infrastructure and finance were also targeted. Public sources have also said a number of organizations in Russia have been affected.

ESET also reaffirmed that BadRabbit is a variant of Petya. The usage of Mimikatz is to extract credentials form affected systems. On Twitter, Dave Maasland, managing director of ESET Nederland, said the malware is using the Eternal Blue exploit to spread. However, the Eternal Blue detections might have been false positives.

According to their telemetry data, there have been hundreds of hits on the malware in Ukraine and Russia, as well as Turkey, Bulgaria, and other countries.

Update 10/24/17 12:25 p.m

A McAfee researcher has released a list of file-types being targeted by BadRabbit, which include all the usual suspects, including Office formats and archive formats. The complete list was published by Christiaan Beek, Lead Scientist and Principal Engineer at McAfee.

An analysis of the flash_install.php that was observed in attacks (this is an executable using the PHP filename when uploaded),has also been posted. In addition, it has been confirmed that the ransomware uses a legitimate tool (DiskCryptor) to encrypt the victim’s hard drive. (Credit: @IstaPee)

When it comes to credentials, BadRabbit is using a list of common hard-coded credentials including: Admin, Guest, User, boss, root, support, rdpadmin, work, backup, nas, nasuser, nasadmin, netguest, etc. (Credit: Maarten van Dantzig)

A full video of a BadRabbit attack has also been made available on ANY.RUN, which provides live malware analysis. (Hat Tip: Kevin Beaumont a.k.a. @GossiTheDog)

Kaspersky Lab is reporting many of the same infection locations as ESET, but Germany has also been added to the list.

Update: 10/24/17 04:25 p.m.

US-CERT has issued an advisory on BadRabbit, reminding administrators to review Threat Advisories TA17-132A and TA17-181A. While it should go without saying, US-CERT has urged victims to not pay any ransom. Problem is, some will pay because they lack proper backups, or worse their backups were not properly managed and they too became encrypted.

ESET and Kaspersky continue to update the public on the status of BadRabbit, and other experts have been digging into the technical details, sharing mitigation and investigation strategies. Outside of Twitter, experts have also been posting technical details on the malware to public collection points, such as Alien Vault’s Threat Exchange.

On a somewhat related note, some administrators have expressed a desire to go after those responsible for ransomware infections like BadRabbit. It’s an expected sentiment, especially given all the ‘hack back’ talk that’s in the news.

The problem is, with ransomware, the source of the infection is hard to track given all the layers that exist in the marketplace responsible for ransomware. But if you’re interested in recent developments on the topic of hacking back, CSO’s Fahmida Rashid recently posted a story legal hack back options using deception technologies.

Update: 10/24/17 8:45 p.m.

Security vendor Avast has stated on Twitter that BadRabbit infections have spread to the U.S., however, the company couldn’t provide any additional details or information, likely due to the time zone difference. When asked, McAfee’s Lead Scientist and Principal Engineer, Christiaan Beek, said his company hasn’t seen any U.S. infections, adding “let’s keep it that way.”

Also, some news outlets and security vendors have referenced the previously mentioned US-CERT advisory as supporting evidence that BadRabbit has infected systems in the US. This is not the case. All the advisory does is announce that BadRabbit is real, and encourage administrators to read the previously released threat advisories related to Petya and WannaCry.

McAfee [1] and Cisco’s Talos [2] have published blogs on BadRabbit. While they don’t contain spanking new information, they are interesting technical dives into the malware itself and worth a read if you’re following developments from all sides. Amit Serper, a security researcher at Cybereason has released a blog post detailing what’s being called a vaccine for BadRabbit.

Researchers at Kaspersky have offered up some new information. On Twitter, Costin Raiu said that the actors behind BadRabbit have been setting up their infection network since at least July 2017, listing a number of domains. Anton Ivanov, a malware analyst at Kaspersky, tweeted images that showing that BadRabbit isn’t a wiper, and actual decryption taking place.

Group-IB, the Russian security firm that first alerted the world to the existence of BadRabbit, has also released new information this evening. In a blog post, Group-IB released the Bitcoin wallet addresses of the actors responsible for Tuesday’s attacks. At the time this update was written, there were no transactions on either wallet.

1GxXGMoz7HAVwRDZd7ezkKipY4DHLUqzmM

17GhezAiRhgB8DGArZXBkrZBFTGCC9SQ2Z

Other details include the fact that at least some of the landing website used by BadRabbit to collect ransom payments was updated as recently as October 19. Based on additional examination, Group-IB found the same set of domains Salted Hash did, and speculated that the actor’s responsible for Tuesday’s mayhem used bulletproof hosting.

Finally, Group-IB has suggested a link between the BadRabbit and the Black Energy campaigns.

Update: 10/25/17 12:35 p.m

Avast said on Tuesday that they had detected BadRabbit in the U.S., however, there wasn’t much clarification as to what that means.

As things stand at the time this update was written, McAfee, Bitdefender, and Avira, have all said no when it comes to the question of U.S. infections. Kaspersky referred to their existing blogs (which do not mention U.S. infections) and ESET said they’ve had no infections in the US.

In their post Avast says: “While the U.S. and other central and eastern European countries, including Poland and Romania have also been affected, the number of encounters in these countries, including the U.S., were much lower than what we have observed in Russia. However, at the time of writing, we calculate a detection rate of only one percent or less in each of these regions.”

However, after publishing their blog, Avast clarified their remarks to Salted Hash. What they’re reporting are attempts, not actual infections.

In a statement, the company said that the “percentages provided are for blocked attempts.”

Check Point also reported that BadRabbit was detected in the U.S. (Credit: Chris Bing, CyberScoopNews)

However, the malware research team lead at Check Point, Yaniv Balmas, said that these detections came from the logs on threat emulation devices. For those who don’t know, these devices act as a sandbox, and protect Check Point customers by emulating files sent to them via email or the web.

“The fact we are seeing logs from these devices means that the Bad Rabbit files were present at several of our US clients networks,” Balmas said.

So, if the BadRabbit files were in the sandbox, then once more we’re talking detections, not infections – an observation that Check Point confirmed to Salted Hash.

This is a good thing, but it isn’t an excuse to ignore the problem. The running advice for administrators the world over still stands: Check your backups; confirm they are running and current; now test them. Do this on a regular basis.