Rabbit Ransomware

Security Alert: Fake Adobe Flash Update Spreads Bad Rabbit Ransomware

Here’s what you need to know about this new ransomware attack

A ransomware outbreak called “Bad Rabbit” is spreading quickly around the world, with the damage epicenter being in the Eastern Europe.

It has been reported that this ransomware strain resembles in many ways non-Petya/Petya, and has already hit major organizations in Ukraine, Russia, Turkey and Bulgaria by causing business disruption.

What’s new about Bad Rabbit is that it saves the collected information, and apparently misuses them in trying to spread in internal networks. This makes Bad Rabbit more powerful than predecessors (non-Petya/WannaCry) of the same type.

How Bad Rabbit Spreads – Technical details explained

The infection is based on a fake update for Adobe Flash Player and dropped onto victims’ computers with a file named “install_flash_update.exe”.

After that, the dropper will be copied to “C: \ Windows \ infpub.dat” and try to start this dll file at “rundll32”. The method used in this attack is brute-force, as the malicious hackers will begin to force their way into the local network in order to spread the ransomware into victims’ computers. To achieve this, they will use a combination of commonly used usernames and passwords, until they try to figure out the correct one.

Source: Bleeping Computer

The legitimate program DiskCryptor (an open source disk encryption program) is then downloaded via the site http: // diskcryptor [.] Net and used as a tool for encrypting files on the victim’s computer.

 Kevin Beaumont 

✔@GossiTheDog

Video of #BadRabbit in action, from @anyrun_app (doesn't show reboot)

480

11:12 PM - Oct 24, 2017

461 people are talking about this

Twitter Ads info and privacy

These files will be encrypted with what appears to be AES encryption key. This key used for encryption will then be encrypted with an embedded RSA-2048 public key. “It is not currently known where the final encrypted key is stored, but could possibly be added to the encrypted files”, said Bleeping Computer.

When Bad Rabbit encrypts files, it will not attach a new extension to the encrypted file’s name. Instead, it will add the file marker string “encrypted” to end of every encrypted file.

Source: Bleeping Computer

In order to mitigate the risk of infection with Bad Rabbit, we recommend you prevent the following files from being created and executed on your Windows endpoints:

c: \ windows \ infpub.dat
C: \ Windows \ cscc.dat

Additionally, Bad Rabbit ransomware creates scheduled tasks in the WIndows task manager, namely: Drogon, Rhaegal, and Viserion, the name of the three dragons from Game of Thrones.

Here’s how a task is displayed:

Source: Bleeping Computer

Bad Rabbit tries to encrypt all files with the following extensions: 3ds, 7z, accdb, ai, asm, asp, aspx, avhd, back, back, bmp, brw, c, cab, cc, cer, cfg, conf, cpp, crt, cs, ctl, cxx, dbf, dib, disk, djvu, doc, dwg, eml, fdb, gz, hd, hdd, hpp, hxx, iso, java, jif jpe jpeg jpg js kdbx, key, mail, mdb, msg, no.

It then locks the computer, with no possibility for victims to access their data until a ransom is paid. When the job is completed, the following message will appear.

The malicious hackers behind this attack ask for 0.05 bitcoin as ransom, which is the equivalent of approximately $280.

Source: Kaspersky.com

UPDATE November 6, 2017

It appears that Bad Rabbit ransomware hid another quiet cyber attack happening in Ukraine. Serhiy Demedyuk, the head of the Ukrainian state cyber police, told Reutersthat several Ukrainian institutions were targeted by severe phishing campaigns at the same time Bad Rabbit spread widely.

The main purpose of these campaigns were to compromise financial information and other sensitive data.

“During these attacks, we repeatedly detected more powerful, quiet attacks that were aimed at obtaining financial and confidential information,” said Demedyuk.

UPDATE October 30, 2017

New information about Bad Rabbit ransomware outbreak came to light. Researchers from Cisco Talos discovered that cybercriminals have been using the EternalRomance exploit to propagate in the network. It was also found that the Bad Rabbit ransomware used a modified version of an NSA exploit to spread infection.

Good news from the researchers at Kaspersky Lab team who analyzed the sample of this threat and discovered some flaws in the way online criminals have operated. Also, some users’ files encrypted by Bad Rabbit can be recovered by following a technical procedure including the AES key which is used for disk encryption.

“As part of our analysis, we extracted the password generated by the malware during a debugging session and attempted to enter this password when the system was locked after reboot. The password indeed worked and the boot-up process continued.”

Unlike Petya, Bad Rabbit is not destructive as a wiper. It encrypts information on the computer’s hard disk and modifies the bootloader by replacing the MBR (Master Boot Record). The ransom note also looks similar with the one used for (non)Petya attack.

It also differs primarily by spreading via Mimikatz (to extract credentials from the local computer’s memory) or via SMB and WebDav.

“We currently have no evidence that the EternalBlue exploit is being utilized to spread the infection”

said Martin Lee, Technical Lead for Security Research at Talos

As it appears now, the distribution of Bad Rabbit has been done via malvertising or script injection, and most of these detections were reported on popular Russian and Ukrainian websites. ESET researchers also said there are reports of computers in Turkey, Bulgaria and other countries are affected.

VirusTotal showed that 55 of 66 antivirus solutions were detecting this type of malware at the time this article was posted.

Source: VirusTotal

Who’s been affected?

The bad news is that this ransomware strains spreads fast and has (already) caused a lot of damage so far. Most of the targets are located in Russia with  65% distribution and infections detected, transportation organizations in Ukraine, such as the Kiev metro, the Odessa airport, as well as some governmental organizations and private businesses.

Similar attacks have been spotted in other countries: Ukraine, Turkey, Germany, Bulgaria, Poland, Romania and the United States as well. Here’s a map of Bad Rabbit attacks and global detection rate.

Source: Avast blog

Protection guide against ransomware attacks

It might look like a nightmare scenario, but you should not panic. Remain calm, be proactive and take all the measures needed to protect your important data and stay safe online.

Security researcher Amit Serper found a simple way to prevent the distribution of Bad Rabbit and the infection on your computer. Create the following files in Windows –  c:\windows\infpub.dat & c:\windows\cscc.dat- remove ALL PERMISSIONS (inheritance).

If you are one of the victims of this ransomware attack, we strongly recommend not to pay the ransom. At this moment, there are no details if there’s any way to decrypt files locked by Bad Rabbit. However, there are some decryption tools out there that you can use/try. Also, this anti-ransomware checklist might help.

We recommend users to take the following protection guide against Bad Rabbit attack:

• Update your Windows system or any other operating system installed on your computer. It is important to install all the latest updates for all your apps too.
• Don’t keep your important data exclusively on your computer and make sure you have at least  2 backups of your valuable data on external sources such as a hard drive or in the cloud (Google Drive, Dropbox, etc.). This useful guide will show you how to do this.
• Try not to use the administrator account every day and remember to disable macros in the Microsoft Office Package.
• DO NOT open (spam) or download email (messages) from untrusted or unknown sources that could infect your device. Moreover, don’t click on suspicious links.
• Make sure you have a paid antivirus software which is also up to date, or consider having a proactive anti ransomware protection (here’s what Heimdal PRO can do for you).
• It’s recommended not to use the administrator account every day and remember to disable macros in the Microsoft Office Package;
• When signing into your email or social accounts, you should always use two-factor authentication system for more security.
• Should you want to remember what is ransomware and how to keep your system protected, we strongly recommend reading this useful guide.
• The“it can’t happen to me” mindset doesn’t work and focus on education should be a top priority. Cyber security education is essential for everyone to have minimum cyber security knowledge, so they can easily discern the good from the bad, and be safer in the online landscape.
• Credit : heimdalsecurity.com

WannaCry Ransomware

There is so much news surrounding the WannaCry Ransomware outbreak that it is impossible to know where to start reading. As mainstream media outlets are jumping on any new information that may or may not be connected, some articles even raise more questions than they answer.

The fact is: WannaCry ransomware has hit hundreds of thousands of computers since it began spreading on May 12th, 2017, and it has caught the world’s attention like no other.

But what makes this ransomware infection different to any other? How did it spread so fast? And what can we expect in terms of future ransomware attacks?

To find out, we sat down with Emsisoft CTO and Head of Malware Lab, Fabian Wosar, and Emsisoft Ransomware Researcher, Sarah W., to break down the confusion around WannaCry, how to protect against it and why backups are more important now than ever.

Thank you for taking the time to talk about WannaCry and how it affects our customers. To start off: Why is this ransomware different to other strains and how has it spread so fast?

As part of our daily job, we monitor a lot of different channels to identify and track ransomware activity. Those include our malware and research feeds, community channels like forums, ID Ransomware and Twitter. Friday morning our attention was drawn to a lot of activity on Twitter that was WannaCry related.

We soon started to realise that this wasn’t a normal ransomware outbreak when we saw how the NHS was hit and the rate at which entire networks were impacted.

How WannaCry spread

The ‘Eternal Blue’ Windows vulnerability [an exploit discovered by the NSA and kept under wraps] was leaked among a series of others by The Shadow Brokers hacking group in March 2017. WannaCry uses a type of worm that spreads rapidly across networks via this vulnerability that is present in older, unpatched Microsoft operating systems such as Windows XP. Typically, ransomware is downloaded to one computer at a time. However, with this worm, once it is inside a network it spreads like wildfire from computer to computer, without any action from the computer’s user.

This issue was actually patched by Microsoft in March 2017, meaning the worm only impacted computers with out-of-date operating systems. This is typical of hospitals which are bound to existing hardware that is not built to handle modern operating systems, yet are always connected to the internet.

Because this worm only impacts computers that have not had the most recent Windows update installed, any vulnerable computer open to the internet is at risk. This is why we always stress the importance of keeping all software, especially your operating system, up to date.

Compared to other global ransomware attacks, how sophisticated is WannaCry?

WannaCry as a worm is only remarkable because of the NSA exploit (Eternal Blue) that it uses. However, that exploit code wasn’t written by the malware author, but was pretty much a copy and paste job. There is nothing sophisticated or impressive about copy and paste.

Other than its worm-like behaviour, WannaCry is nothing special in terms of ransomware. If anything, it is rather unsophisticated.

But this is a big issue for victims. The code used to generate an individual bitcoin address for each user was not enabled, meaning that there are 3 bitcoin addresses to be shared between all victims.

The criminals will have almost no idea which victims have actually paid. Since there is no automatic decryption based on an individual’s bitcoin address, the chances of having your files decrypted after payment are very low.

WannaCry ransom note

Since the outbreak, security researchers have been able to find a “killswitch”. Can you explain what this means exactly?

Essentially, malware doesn’t like to be found in people’s systems as this permits forensic analysis of the code which may ultimately lead to the criminal who developed it. By its very nature, malware often tries to avoid analysis by attempting to detect the artificial environments, usually referred to as “sandboxes”, that are set up by researchers to observe and manipulate malware samples running on a system.

Sandboxes are usually isolated from the internet, but a lot of malware requires some kind of access to the internet to function properly. So, sandboxes often simulate an artificial internet, where every connection to the internet always succeeds and every internet address returns something useful.

One method malware uses to detect such an environment is to just try to access an internet address it knows doesn’t exist. If all of a sudden it can, it assumes it is being executed in such a sandbox. The malware quits whatever it is doing so it can’t be observed and looks like a harmless program; this is what’s referred to as ‘killswitch’.

Usually, these checks are done by generating domain names at random, but in this particular case, the WannaCry ransomware author decided to use a hardwired domain name. When it was registered by a fellow researcher, it became accessible via the real internet as well. So, for the malware, every system with a direct connection to the internet looked like a sandbox. The malware simply shut down, thinking it was being observed.

Yet it is still unclear if this killswitch was intended by the WannaCry author or not. What we do know is that the ransomware hasn’t changed at all, and neither has the worm that is spreading it. Until now, there is no confirmed sighting of a truly recompiled and fixed worm component that uses a different kill switch, apart from a few manually edited ones that have never reached the same distribution of the original.

Do you expect further ransomware attacks based on these exploits?

Almost certainly. We don’t doubt more criminals will be using a similar worm to spread malware, including possibly more ransomware. In fact, a bitcoin miner was already spread this way. Given that we have seen other ransomware, such as Spora ransomware, in the past that has had much more sophisticated payment methods, it is not really a question of “if”, but rather “when” we will see a global ransomware outbreak what will be even more “successful” and costly to its victims.

Learn more about common ransomware infection methods

Is there a way to decrypt your data once you have become a victim of the WannaCry ransomware?

Unfortunately not, as WannaCry uses secure encryption. Even if you pay the criminals, as I mentioned above, they have no way to track payments, so you may not get your files back and instead be asked for more money.

Emsisoft customers were not affected by the attack. Can you explain how, and why in other cases, security software was not able to detect the threat?

In some cases, I would think that victims were simply not running an antivirus or any kind of security software. In the cases where people were running security software, it’s possible that the product’s ransomware behaviour detection may be slightly lacking.

Emsisoft’s products in particular use a layered approach when it comes to protecting our users. We believe that no technology on its own is 100% fool proof. However, by applying multiple different technologies, a very high degree of protection can be achieved. In the case of WannaCry ransomware, Emsisoft customers stayed protected from the beginning via a 3-layered approach:

1. Firewall: If you were using Emsisoft Internet Security, the firewall inside it would have prevented someone from the outside accessing your port 445, which is the port the vulnerable SMB protocol listens to by default and that the WannaCry worm contacts to exploit. If the port can’t be accessed, no exploitation takes place, so your system is completely protected from the malware.
2. File Guard: The moment before the worm becomes active on the system, the File Guard will check it against our signature database. Our generic signatures that we created for the WannaCry outbreak back in February did cover most of the variants used in this attack as well, so the attack was stopped. The few variants of the worm component that weren’t already covered were added within 30 minutes.
3. Behavior Blocker: Once the worm component becomes active, the behavior blocking technology will step in, detecting the malware’s attempt to infect the local system as well as the attempt to infect other systems on the network. Similarly, once the ransomware component becomes active, Emsisoft’s Behavior Blocker will detect the ransomware-like behaviour and stops it in its track.

So our products are designed with failure in one layer in mind, as we don’t subscribe to the philosophy of putting all of our eggs in one basket. Even if one layer doesn’t stop the infection, there are others to step in.

That being said, no product will detect everything. This is why securing your system and making backups is important.

How at risk are consumers and business following this attack, and what else can be done to protect against a future ransomware outbreak?

The 321 backup philosophy is the best protection against ransomware:

Keeping on top of updates for your operating system and all high-risk applications (applications that either access the internet directly or that are used to edit or view documents originating from the internet/email, like browsers, PDF viewers, media players, email clients etc.) is the second most important thing.

Yes, updates can break things sometimes. However, having proper backups mitigates those dangers as it allows a user to simply restore the previous version easily just in case something does break. Backups are awesome like that.

Last but not least, using an up-to-date anti-malware software helps to mitigate the vast majority of all malware, so use it. Using some kind of firewall, either in form of a router or the built-in Windows firewall, helps to mitigate worms like the WannaCry one by isolating potentially vulnerable services from the internet.

Credit: blog.emsisoft.com

https://blog.emsisoft.com/en/27346/wannacry-ransomware-interview/

Emsisoft Releases Free Decrypter for OpenToYou Ransomware

Emsisoft CTO/researcher Fabian Wosar has created a decrypter for the newly discovered OpenToYou ransomware that will allow infected victims to recover encrypted files without needing to pay a ransom.

The ransomware’s name comes from the email address at which the crook wants victims to reach out (opentoyou@india.com), and by the file extension appended to each encrypted file (.-opentoyou@india.com).

OpenToYou infection process

When it first infects a computer, the OpenToYou ransomware will create a password string, use SHA-1 to derive an encryption key from the password, which it then uses to encrypt the victim’s files with the RC4 algorithm.

The ransomware targets 242 file types for encryption. The following file extensions are targeted:

*.3ds,*.3fr,*.4db,*.7z,*.7zip,*.accdb,*.accdt,*.aes,

*.ai,*.apk,*.arch00,*.arj,*.arw,
*.asset,*.avi,*.bar,*.bay,*.bc6,*.bc7,*.big,*.bik,

*.bkf,*.bkp,*.blob,*.bpw,*.bsa,
*.cas,*.cdr,*.cer,*.cfr,*.cr2,*.crp,*.crt,*.crw,

*.css,*.csv,*.d3dbsp,*.das,*.dazip,
*.db0,*.dba,*.dbf,*.dbx,*.dcr,*.der,*.desc,*.dmp,

*.dng,*.doc,*.docm,*.docx,*.dot,
*.dotm,*.dotx,*.dwfx,*.dwg,*.dwk,*.dxf,*.dxg,*.eml,

*.epk,*.eps,*.erf,*.esm,*.ff,*.flv,
*.forge,*.fos,*.fpk,*.fsh,*.gdb,*.gho,*.gpg,*.gxk,

*.hkdb,*.hkx,*.hplg,*.hvpl,*.ibank,
*.icxs,*.idx,*.ifx,*.indd,*.iso,*.itdb,*.itl,*.itm,

*.iwd,*.iwi,*.jpe,*.jpeg,*.jpg,*.js,
*.kdb,*.kdbx,*.kdc,*.key,*.kf,*.ksd,*.layout,*.lbf,

*.litemod,*.lrf,*.ltx,*.lvl,*.m2,
*.m3u,*.m4a,*.map,*.max,*.mcmeta,*.mdb,*.mdbackup,

*.mddata,*.mdf,*.mef,*.menu,*.mlx,
*.mov,*.mp3,*.mp4,*.mpd,*.mpp,*.mpqge,*.mrwref,

*.myo,*.nba,*.nbf,*.ncf,*.nrw,*.nsf,
*.ntl,*.nv2,*.odb,*.odc,*.odm,*.odp,*.ods,*.odt,

*.ofx,*.orf,*.p12,*.p7b,*.p7c,*.pak,
*.pdb,*.pdd,*.pdf,*.pef,*.pem,*.pfx,*.pgp,*.pkpass,

*.png,*.ppj,*.pps,*.ppsx,*.ppt,
*.pptm,*.pptx,*.prproj,*.psd,*.psk,*.pst,*.psw,*.ptx,

*.py,*.qba,*.qbb,*.qbo,*.qbw,
*.qdf,*.qfx,*.qic,*.qif,*.raf,*.rar,*.raw,*.rb,*.re4,

*.rgss3a,*.rim,*.rofl,*.rtf,
*.rw2,*.rwl,*.saj,*.sav,*.sb,*.sdf,*.sid,*.sidd,

*.sidn,*.sie,*.sis,*.sko,*.slm,*.snx,
*.sql,*.sr2,*.srf,*.srw,*.sum,*.svg,*.sxc,*.syncdb,

*.t12,*.t13,*.tar,*.tax,*.tbl,
*.tib,*.tor,*.txt,*.upk,*.vcf,*.vdf,*.vfs0,*.vpk,

*.vpp_pc,*.vtf,*.w3x,*.wallet,*.wb2,
*.wdb,*.wma,*.wmo,*.wmv,*.wotreplay,*.wpd,*.wps,

*.x3f,*.xf,*.xlk,*.xls,*.xlsb,*.xlsm,
*.xlsx,*.xml,*.xxx,*.zip,*.ztmp

As a side note, OpenToYou also encrypts files without a file extension.

The ransomware will lock files on all drives, with the exemption of the following folders:

C:$Recycle.Bin
C:Logs
C:UsersAll Users
C:Windows
C:ProgramData
C:Program Files
C:Program Files (x86)
C:nvidia
C:intel
C:Boot
C:bootmgr
C:PerfLogs
C:Drivers
C:MSOCache
C:Program instal
%USERPROFILE%AppData

Unfortunately, this exemptions list contains an error. “C:bootmgr” is not a folder, but a file.

This slip-up on the part of OpenToYou’s author leads to situations where the ransomware encrypts the boot loader “bootmgr” on Windows workstations that use the MBR to boot. This leaves the victim’s computer in the unfortunate situation of not being able to boot the next time they restart their PC.

After the encryption process ends, the ransomware will replace the user’s desktop wallpaper with the following image:

At the same time, OpenToYou drops a file named !!!.txt on the user’s Desktop. This file contains a written version of the ransom note, as reproduced below:

Your files are encrypted!
To decrypt write on email – opentoyou@india.com
Identification key – 5E1C0884

The number “5E1C0884” from the ransom note above is the victim’s ID, which he must send to the ransomware author via email. This ID is each computer’s C: drive’s volume serial number.

At the time of writing, the ransomware appears to be under development. The reason behind this assumption is the ransomware creates a folder named “C:Logs” to store temporary files and debug data.

This folder’s content is always the same, and its presence can be used to detect OpenToYou ransomware infections in their early stages.

C:Logs1.bmp      [the desktop wallpaper image]
C:Logs1.jpg      [the desktop wallpaper image]
C:LogsAllFilesList.ini
C:LogsLog.ansi.txt
C:LogsLog.UTF-16LE.txt

Victims affected by this ransomware can recover their data using the Emsisoft OpenToYou Decrypter, which is available for download on our site.

It is not uncommon to see in-dev ransomware being analysed and decrypted even before it’s delivered to users via spam or malvertising campaigns. If you’ve been infected by a version of this ransomware, don’t hesitate to reach out to Emsisoft researchers for help.

Users employing Emsisoft Anti-Malware or Emsisoft Internet Security have been proactively protected from this threat by Emsisoft’s Behavior Blocker technology:

This blog post is based on the OpenToYou ransomware sample with the following SHA-256 hash: 3363542a8224cb7624b699fbcc34143c80ad1063196763b9fea0e6f45091454c.

Credit : blog.emsisoft.com
 https://blog.emsisoft.com/en/25673/emsisoft-releases-free-decrypter-for-opentoyou-ransomware/