A series of ransomware attacks starting on October 24th have been recently disclosed. With the continued trend of global Ransomware outbreaks this year, it is ever more clear that decisive and responsive action is needed to protect organisations. This particular ransomware outbreak is being referred to as ‘BadRabbit.’
At the time of this advisory, the ransomware has mainly affected Russia, with similar attacks seen in Ukraine, Turkey, and Germany. No attacks have been identified in Ireland as yet however, this could change quickly, with organisations in other regions expected to be identified as victims in the coming days.
How Does ‘BadRabbit’ Work?
The initial infection is via a ‘Dropper’ used during a ‘drive-by attack’. A victim visits an infected website and the ransomware is dropped (that is downloaded without the user’s request) onto their system as they browse. Websites that have been observed as vehicles in this attack are generally legitimate; unconfirmed reports indicate that news media sites have been specifically targeted.
The malicious file which is downloaded onto the victim’s system is named install_flash_player.exe and requires the user to manually launch it. The ransomware virus requests elevated administrative permissions to run via the Windows User Account Control (UAC) prompt. Once the ransomware runs with the elevated permissions it saves malicious .dlls as C:\Windows\infpub.dat or C:\Windows\cscc.dat. These will then be called and run by run32.dll. Both malicious .dlls search for and encrypt files on the machine using 2048-RSA encryption.
Infpub.dat and cscc.dat will also install and run a malicious executable C:\Windows\dispci.exe.
dispci.exe is used to install a modified bootloader and interrupt the normal boot-up process of the victim machine.
It should be noted that BadRabbit will attempt to spread across the network using a list of usernames and password embedded in its code – for this reason, it is vital that secure passwords are in use across your organisation’s network.
Infected users are asked to pay 0.05 bitcoin (approx. $280) to recover the encrypted files.
How Do I Protect My Organisation?
- Keep your antivirus active and up to date, and always update your AV software from valid sources.
- Ensure you have a reliable and well configured backup solution, keeping at least one of those backups offline
- Ensure the minimum appropriate level of administrative privilege is allocated. This can assist in prohibiting propagation should your organisation be attacked
- To stop the spread from the WMIC, administrators should block the files C:\Windows\dispci.exe, C:\Windows\cscc.dat and C:\Windows\infpub.dat from running.
- McAfee has confirmed that the BadRabbit signature will be added to the production DAT 8695. In the meantime, Ward Solutions highly recommends creating a new custom Access Protection rule in VSE to stop the creation and execution of the 3 mentioned file names above.
My Organisation is Infected, What Now?
Firstly, Ward Solutions would advise organisations impacted to not attempt to pay the ransom as there is no guarantee that the attackers will decrypt the data. Also, refusal to pay the ransom can aid in the discouragement of future attacks.
Secondly, isolate any infected machine from the network until it can be ‘cleaned’ and confirmed free of the ransomware. Currently, there is no known way to decrypt the data, however, in the past, ransomware tools have been released to decrypt files. Ward will provide further updates on any toolsets as they are released.
How Can Ward Solutions Help?
For SOC Managed Service customers, Ward has been receiving IBM Threat Intel feeds, which have been updated with BadRabbit IOCs (below). The SOC will take any appropriate action required for each customer.
For Managed Service customers, the Ward Support team will be reviewing individual environments to ensure all recommendations are implemented.
For all other customers, if you would like additional information or would like support in implementing preventative measures in your environment, please contact support@ward.ie or your account manager, as appropriate.
Further reading:
http://www.bbc.com/news/technology-41740768
https://nakedsecurity.sophos.com/2017/10/24/bad-rabbit-ransomware-outbreak/
https://blog.qualys.com/news/2017/10/24/bad-rabbit-ransomware
Indicators of Compromise (IOCs):
- The ransomware dropper is distributed from hxxp://1dnscontrol[.]com/flash_install.php
- install_flash_player.exe [SHA256]: 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
- C:\Windows\dispci.exe [SHA256]: 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93
- C:\windows\infpub.dat [SHA256]: 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648
- C:\windows\cscc.dat [SHA256]: 8d63e37aa74ca33a926bec7c7aa8fda0f764ffbb20e8f64bb9c3999b5975f9a6
Known infect websites (Non exhaustive):
- hxxp://argumentiru[.]com
- hxxp://www.fontanka[.]ru
- hxxp://grupovo[.]bg
- hxxp://www.sinematurk[.]com
- hxxp://www.aica.co[.]jp
- hxxp://spbvoditel[.]ru
- hxxp://argumenti[.]ru
- hxxp://www.mediaport[.]ua
- hxxp://blog.fontanka[.]ru
- hxxp://an-crimea[.]ru
- hxxp://www.t.ks[.]ua
- hxxp://most-dnepr[.]info
- hxxp://osvitaportal.com[.]ua
- hxxp://www.otbrana[.]com
- hxxp://calendar.fontanka[.]ru
- hxxp://www.grupovo[.]bg
- hxxp://www.pensionhotel[.]cz
- hxxp://www.online812[.]ru
- hxxp://www.imer[.]ro
- hxxp://novayagazeta.spb[.]ru
- hxxp://i24.com[.]ua
- hxxp://bg.pensionhotel[.]com
- hxxp://ankerch-crimea[.]ru