Breaking: New ransomware BadRabbit moving quickly through Russia

Topic

New Reply

Looks like the initial infection vector is a fake Flash update. Will keep you updated, but watch Catalin Cimpanu on Bleepingcomputer and Kevin Beaumon
[See the full post at: Breaking: New ransomware BadRabbit moving quickly through Russia]

3 users thanked author for this post.

JDeC, Elly, AJNorth

Reply | Quote

Replies

What, the attacker expects you to type in that mess/key? I think most users would be hard pressed to type that even if they wanted to fund the attackers.

Reply | Quote

BadRabbit Ransomware attacks multiple media outlets

7 users thanked author for this post.

JDeC, Elly, TheSuffering, madhatter, Woody posting as an MVP, AJNorth, SueW

Reply | Quote

I have read that it is suggested to turn off the WMI service to help protect against this attack.

Is that recommended here?

It also causes me to think is there an area on this site that has instructions of which service/s is to be active/disabled? to make the o/s as tight as possible.

Novice user, Win 8.1

Reply | Quote

If you’re attached to a corporate network that may be compromised, then turning off the WMI service may help.

For most people, it isn’t necessary.

2 users thanked author for this post.

SueW, GoneToPlaid

Reply | Quote

So if windows defender detects it that means its the same for MSE right?

1 user thanked author for this post.

Cartoonist Aaron

Reply | Quote

I believe that’s true.

1 user thanked author for this post.

TheSuffering

Reply | Quote

This ransomware business is getting totally out of hand these days.

Unfortunately, many people will continue to be targets for this because they seem to have the attitude that “it will never happen to me” or they’re just blissfully unaware of the danger.

I consider myself to be ‘immune’ because I have 2 solid state drives in my PC tower – the first one has Windows and the second is a ‘data’ drive with pictures, videos, Windows Macrium images, etc.

In addition, I always keep several Macrium images of the Windows drive on a separate external USB hard drive (which is powered off when not in use) and I have an extra SSD which is an exact duplicate of my data drive and it is updated weekly. I also have another spare SSD which can be used to swap out the Windows SSD if needed.

Plus, all of my data is backed up on another external USB hard drive which is also powered off when not in use. And, everything is also on my trusty 11 year old HP laptop which is still running perfectly (especially after putting an SSD in it a couple of years ago).

If I’m hit by ransomware, it is just a matter of swapping out the 2 SSD’s in the PC tower and restoring a Macrium image of the Windows drive. The laptop is also backed up regularly with Macrium.

2 users thanked author for this post.

SueW, GoneToPlaid

Reply | Quote

The upshot of your very good comment is that all computer users should be backing up their computers on a regular schedule — and without fail. Hard drives fail over time. A computer can get infected with malware. A computer power supply can fail in an unforeseen way which takes out the computer’s motherboard and/or other components. A CPU fan can fail, such that the CPU gets too hot and either burns up or causes data corruption. Chipsets can fail, due to overheating, resulting in I/O data corruptions. These are just some possibilities. Yet most people do not appreciate the importance of backing up their computers and data on a regular basis until it is too late.

I too use Macrium to back up all of my computers. I will never use Acronis ever again, yet that is a different story. And like you, not only do I keep all of my data on separate partitions, but I also keep two offline backups of my data.

I installed removable HDD bays on all of my computers so that I can insert a SATA drive, perform my backup really fast in comparison to USB2 or USB3 methods, and then remove the backup drive when I am done. Offline backups of course can not become infected.

4 users thanked author for this post.

Bill C., wdburt1, SueW, ryegrass

Reply | Quote

I abandoned Acronis for their failure to fix a longstanding bug that prevented Windows from shutting down, and I use Macrium Reflect for daily and monthly images.  Its simplicity and unpretentiousness make me a loyal user.

I read that the “expert” view is that three backups are required: desktop (for convenience), hidden away onsite, and offsite.  Not a bad idea.

 

Reply | Quote

The advice to run regular backups is generally good advice for many users, but bear in mind that not everyone uses their computer(s) for the same purpose or needs a total backup. In my own case, for example, there is nothing on either of my two desktops that I could not afford to lose although a few things like emails and the odd photo or other document are routinely kept on both machines anyway (with emails and attachments also kept on webmail) so they can always be accessed if one machine fails or is compromised. I never install updates or make other changes to both machines at the same time, and they are not connected. They are used primarily for gaming and all saved data is either kept server-side by the game developer or else is backed up on the Cloud by a gaming platform such as Steam.

Losing my hard drive’s contents to either a ransomware attack or a hard drive failure would therefore be an inconvenience but not a problem, no different say to when I buy a new drive or computer. I have very simple systems with all that I need reinstalled very quickly. For other users it can be very different, of course, especially when they are using their computers for their work (as I did before I retired). It is important, however, that people also recognise that backups don’t always work and shouldn’t be totally relied on.

I’m not complacent by any means, but equally I am not paranoid either. I take sensible precautions and beyond that I find it pays to be philosophical these days!

Reply | Quote

I got a 18 MB Windows Defender download today.  Most WD downloads I get are a megabyte or less.  I don’t know if this is related to the topic or not.

Reply | Quote

I don’t know exactly about Windows Defender (I use Microsoft Security Essentials on Win7) but I support the belief (elsewhere in this topic) that WD and MSE probably share the same definitions (at least, the mpam-fe.exe downloaded current-state definition files have always been identical, in my occasional checks).

I noticed that yesterday (24 October) MSE’s definition file numbers started a new sequence; was 1.253.xxxx.0, now 1.255.xx.0.  I imagine (no more) that a large-ish definition download yesterday may simply have been related to that change.

Reply | Quote

I like Cybereason’s simple method for preventing infections by BadRabbit. See:

https://www.cybereason.com/blog/cybereason-researcher-discovers-vaccine-for-badrabbit-ransomware

In a temporary folder I simply created two zero length text files named cscc.txt and infpub.txt, set them to read only, renamed them to .dat, and then copied these the two .dat files into my Windows folder. Then I followed the above article’s instructions for removing all permissions for these two new .dat files which I placed in my Windows folder. This will supposedly stop BadRabbit dead in its tracks.

1 user thanked author for this post.

liamZ

Reply | Quote

Does it matter if you set the files to read only and rename them after you move them?

Reply | Quote

You have to rename them first and then set read-only attribute, but after denying permissions from files it will block them from being read by any normal means. So the redundancy of setting the read only attribute is not bad, just extra work.

Reply | Quote

What about this?

@echo off
if exist %systemroot%\cscc.dat (echo ERROR, FILE EXISTS & pause & exit)
if exist %systemroot%\infpub.dat (echo ERROR, FILE EXISTS & pause & exit)
type nul > %systemroot%\infpub.dat && attrib +R %systemroot%\infpub.dat && icacls %systemroot%\infpub.dat /inheritance:r
type nul > %systemroot%\cscc.dat && attrib +R %systemroot%\cscc.dat && icacls %systemroot%\cscc.dat /inheritance:r
pause
exit

2 users thanked author for this post.

GoneToPlaid, Noel Carboni

Reply | Quote

As long as run from an elevated CMD prompt, that script does what’s described in the cyberreason.com article for creating two files that should hinder the infection.

Adding the ReadOnly attribute is extraneous, though. That’s just a flag that well-behaved applications agree to honor; the ACL-based file permissions being completely removed is what actually blocks access at the file system level.

Remember that creating files on your system that nothing can access due to permission denial could cause unexpected issues – such as error messages when making backups – in the future. There probably won’t be any real problems, but just remember that you’ve created these files on purpose if you see things go wrong in the future.

I might choose to echo some friendly reminder message into the files myself, so that if I find myself trying to remember why they’re there…

-Noel

1 user thanked author for this post.

liamZ

Reply | Quote

Noel Carboni wrote:

…Remember that creating files on your system that nothing can access due to permission denial could cause unexpected issues – such as error messages when making backups – in the future. There probably won’t be any real problems, but just remember that you’ve created these files on purpose if you see things go wrong in the future. … -Noel

However, having removed ALL permissions from the files, if you do have issues either upon reboot or in the future sometime and wish to delete the files because the threat may have loooong since passed, wouldn’t you be unable to do so because of having removed even the system level permissions?

Just something to think about before proceeding with the permission change to the files.

Reply | Quote

Bob99 wrote:

However, having removed ALL permissions from the files, if you do have issues either upon reboot or in the future sometime and wish to delete the files because the threat may have loooong since passed, wouldn’t you be unable to do so because of having removed even the system level permissions?

No. If you own the file you can add the permissions back in.

-Noel

1 user thanked author for this post.

Bob99

Reply | Quote

D’OH!! Forgot about the ownership aspect!!  :-[  :-[  Nice catch!!

Reply | Quote

Does not allowing Flash on one’s PC not also protect it?

Reply | Quote

anonymous wrote:

Does not allowing Flash on one’s PC not also protect it?

I don’t see it written anywhere that Flash is necessary at all to get the fake Flash update messages.

A web page can put up any information it wants. In this case it appears such web pages make it look as though a Flash update is available and request that you press a button and allow the launch a downloaded executable. To a degree, THAT part involves social engineering, since users have to be duped into doing something they might not normally allow.

However, it seems pretty clear that this isn’t the only way this ransomware spreads.

If you want to harden your system so that it is less apt to be exposed to malware, I suggest the following:

1. Review your browser settings and make SURE it’s not possible for any software (e.g., add-ons, downloaded files, etc.) to run without prompting, then of course be VERY wary about allowing ANYTHING to run. For most browsers you can choose to give up some of the “integrated glitz” features in return for additional security. Be aware that there ARE reasonable compromises that serve to keep your system secure yet allow you to see the content. Lastly, understand that you really don’t need browser Add-ons to browse the web.

2. Though I advise in general against add-ons, consider adding a well-established blacklisting add-on, UBlock, to your browser so as to have it avoid visiting sites known to harbor malware. Such products run from managed lists that are continuously updated. Not allowing your system to visit those sites goes a long way toward never being exposed to malware, yet as with item 1 there are good compromises where you can see the content but the malware and ads are blocked.

-Noel

2 users thanked author for this post.

SueW, Jan K.

Reply | Quote

More info on VirusTotal

Windows - commercial by definition and now function...

2 users thanked author for this post.

liamZ, GoneToPlaid

Reply | Quote

It looks like nearly all of the major AV vendors detect it. That is reassuring.

Reply | Quote

Noel Carboni wrote:

. I might choose to echo some friendly reminder message into the files myself, so that if I find myself trying to remember why they’re there… -Noel

Agree, that’s what I did on my system.

Anyway, maybe I’m wrong, but I think once your antivirus is updated to block the malware there’s no need for those files anymore.

Reply | Quote

Pardon my ignorance but I am soooo confused and reading Woody’s articles are confusing me even more!! My PC uses Windows 7 Home premium 64 bit and I am in Group A, have been since the rollups started. I have almost every update (except the ones I have been told to avoid by the experts here) every month except for this month as we are still under Defcon 2.

In Woody’s article (on AskWoody) it says to make sure to have MS17-010 (KB4013389) installed which says it was published on March 14, 2017. I did a  search for that KB # on my PC but it was not found. So I clicked on the link in the article that took me to Woody’s Computer World article which states: “If you have any of those patches already installed, then you are good to go and you can sleep well at night. There’s no reason to download or install anything, unless you have absolutely none of those patches.”

Then it lists these updates for Windows 7:”

• 2017-05 Security Monthly Quality Rollup for Windows 7 (KB4019264)
• April, 2017 Preview of Monthly Quality Rollup for Windows 7 (KB4015552)
• April, 2017 Security Monthly Quality Rollup for Windows 7 (KB4015549)
• March, 2017 Security Monthly Quality Rollup for Windows 7 (KB4012215)
• March, 2017 Security Only Quality Update for Windows 7 (KB4012212)

I checked my PC for all those KB #’s and found NONE installed……I DON’T understand. Are those updates for people in Group A or for those in Group B who are installing Security ONLY updates? Or are those updates included in the Rollup updates that I do every month and already have installed? I know for a fact that I have installed all the Monthly Rollups except for October so I and confused as to why I am missing so many of the updates???? Can someone please clarify or help me with this situation PLEASE!!!

Reply | Quote

The March, 2017 Security Only Quality Update for Windows 7 (KB4012212)  is a Group B patch that has to be downloaded and manually installed – you should not have that one.

The April, 2017 Preview of Monthly Quality Rollup for Windows 7 (KB4015552) is an UNCHECKED optional patch and does not get installed through the important updates in Windows Update – you should not have that one.

Anything labeled “Security Monthly Quality Rollup for Windows 7” is a CUMULATIVE Rollup that is installed as an CHECKED important update when you run Windows Update. Since they are CUMULATIVE, the latest one contains everything that was in any of the earlier ones.

So if you have the September 2017-09 Security Monthly Quality Rollup for Windows 7 (KB4038777) or the August 2017-08 Security Monthly Quality Rollup for Windows 7 (KB4034664), then you also have the patches from the March, April, and May Rollups.

Check to see if you have either August or September patch.

2 users thanked author for this post.

Jan K., KarenS

Reply | Quote

PKCano thanks again for being right there to help with my confusion and answer my questions, it is always appreciated.

I did check and I do have the September 2017-09 Security Monthly Quality Rollup for Windows 7 (KB4038777) installed on my PC but not the August 2017-08 Security Monthly Quality Rollup for Windows 7 (KB4034664). So if I have the one I don’t need to do anything else to be protected?

Reply | Quote

If you have Sept installed, you have everything in the Rollups before installed.
You should be good.

1 user thanked author for this post.

KarenS

Reply | Quote

I am no longer confused or concerned…….Thank you!

Reply | Quote

I understand your point of view, but I would suggest never stopping being concerned.

Good security starts with you and your computing habits. Try not to get a false sense of it nor to oversimplify the problem because you expect your antivirus solution handles everything. If it were true that it was infallible there would be no malware out there, and we know that’s not the case.

I recommend you keep your awareness up and don’t just “click through” any Flash update screens (or any other unexpected requests to run something) that you see presented to you, even though you feel your antivirus software should block infections.

-Noel

1 user thanked author for this post.

KarenS

Reply | Quote

Oh have no fear I am always on alert, that is why I visit this site multiple times a day and take any advice and instructions that I can get with appreciation. When I got my first computer in 2010 and being uneducated in anything to do with them I innocently clicked on what I thought was a Firefox update and was immediately infected with a virus. Believe me when I tell you that I learned my lesson and I don’t click on anything that pops up. I use and adblock and a NoScript, I scan with both Microsoft Essentials and Malewarebytes regularly and keep my PC up to date with regard to Windows updates with the help of all the experts here. I know that even doing those things a virus or malware could get through at any time.

1 user thanked author for this post.

Noel Carboni

Reply | Quote

Woody wrote: “… I wonder if the Win10 FCU ransomware blocker “Controlled folder access” effectively blocks Bad Rabbit?”

Personally, I think this would be a great “acid test” of sorts for that feature!! However, it would probably get caught by the real time protection feature of Windows Defender and its’ definition database before activating the folder access feature, since there are reports of Defender successfully catching the rabbit!

Reply | Quote

Sounds like a test that a good QA team could do with in house disposable/recyclable hardware. Instead of foisting such a project onto unpaid testers lacking a cross checking infrastructure to verify all findings. Just an idea.

Reply | Quote