Newsletter Archives

• Breaking: New ransomware BadRabbit moving quickly through Russia, Ukraine

  Posted on October 24, 2017 at 10:22 CDT by woody • Comment in the Forums

  Looks like the initial infection vector is a fake Flash update.

  Will keep you updated, but watch Catalin Cimpanu on Bleepingcomputer and Kevin Beaumont on Twitter (@GossiTheDog aka Beaumont Porg, Esq) for reliable info.

  Steve Ragan has multiple details in CSO.

  What should you do? Don’t sweat it. Make sure you have MS17-010 installed. As long as you aren’t connected to a corporate network (where the WinDAV infection vector may come into play), you’re fine. If you’re worried about getting stung on a corporate network, there’s a detailed step-by-step vaccination description on Cybereason which involves creating two files, infpub.dat and cscc.dat, and blocking access to them (turning off “inherited permissions”).

  Idle thought: I wonder if the Win10 FCU ransomware blocker “Controlled folder access” effectively blocks Bad Rabbit? No, I’m not going to try it.

  UPDATES:

  Bleepingcomputer post is up.

  Welivesecurity: Several transportation organizations in Ukraine and as well as some governmental organizations have suffered a cyberattack, resulting in some computers becoming encrypted, according to media reports. Public sources have confirmed that computer systems in the Kiev Metro, Odessa airport, Ukrainian ministries of infrastructure and finance, and also a number of organizations in Russia are affected… ESET discovered that in the case of the Kiev Metro, the malware used for the cyberattack was Diskcoder.D, — a new variant of ransomware known also as Petya. The previous variant of Diskcoder was used in a damaging cyberattack on a global scale in June, 2017.

  Pic of the ransomware screen (c/o Jiri Kropac, @jiriatvirlab)

  

  Windows Defender catches it.

  Beaumont: #BadRabbit uses a legit, signed program called DiskCryptor to lock out the victim hard drive… It’s actually a neat way of doing it as the kernel drivers are co-signed by Microsoft’s driver signing program… #BadRabbit (also) has hard coded credentials in it, for whatever reason. Overwrites MBR, Petya style… Shoutouts to Kaspersky and ESET over #BadRabbit – both had detection before I even knew about it, and were well under way investigating… Good job USG [US government] is removing Kaspersky btw, otherwise they could be protected right now… spreads (also) via WebDAV internatlly – this is new for a worm… It scheduled shuts down PC (a la Petya) never to return, which limits spread. Somehow they got this across companies quickly.

  @VessOnSecurity: My SMB honeypot isn’t seeing anything unusual. Either #badrabbit is very targeted or it’s only a LAN worm, like (not)Petya.

  @fwosar: #BadRabbit contains lateral movement based on own SMB implementation… appears to be using our good buddy EternalBlue!

  @jaytezer: #badrabbit found to have 13% code reuse of #notpetya #petya  here’s a public report with the unpacked sample: https://t.co/NOIul4yLVT

  Avast: #BadRabbit now detected in the U.S. We expect a growing number of detections in the hours ahead. Spreading thru SMB (which means MS17-010 should stop it).

  @campuscodi Kaspersky researcher has successfully decrypted files locked by #BadRabbit, meaning the ransomware works as expected, unlike NotPetya. (NotPetya was a wiper, looks like #BadRabbit is a for-real encryptor)

  BitDefender analysis is up.

  Andy Greenberg at Wired says Kaspersky has “found strong evidence” that BadRabbit is from the same folks who brought us NotPetya.

  Windows Patches/Security BadRabbit