home-Working with video-New virus ransomware bad rabbit. How to protect yourself from the new Bad Rabbit ransomware virus

New virus ransomware bad rabbit. How to protect yourself from the new Bad Rabbit ransomware virus

It may be a harbinger of the third wave of ransomware viruses, Kaspersky Lab believes. The first two were the sensational WannaCry and Petya (aka NotPetya). Cybersecurity experts told MIR 24 about the emergence of a new network malware and how to protect against its powerful attack.

Most of the victims of the Bad Rabbit attack are in Russia. There are significantly fewer of them on the territory of Ukraine, Turkey and Germany, noted the head of the anti-virus research department at Kaspersky Lab. Vyacheslav Zakorzhevsky... Probably the second most active countries were those where users actively follow Russian Internet resources.

When malware infects a computer, it encrypts files on it. It is spread using web traffic from hacked Internet resources, among which were mainly the sites of federal Russian media, as well as computers and servers of the Kiev metro, the Ukrainian Ministry of Infrastructure, and the Odessa International Airport. An unsuccessful attempt to attack Russian banks from the top 20 was also recorded.

The fact that Fontanka, Interfax and a number of other publications were attacked by Bad Rabbit was reported yesterday by Group-IB - it specializes in information security... Analysis of the virus code showed that Bad Rabbit is associated with Not Petya ransomware, which in Junethis year attacked energy, telecommunications and financial companies in Ukraine.

The attack was being prepared for several days and, despite the scale of the infection, the ransomware demanded relatively small amounts from the victims of the attack - 0.05 bitcoin (this is about $ 283 or 15,700 rubles). The ransom will have 48 hours. After the expiration of this period, the amount increases.

Group-IB experts believe that, most likely, the hackers have no intention of making money. Their likely goal is to test the level of protection of critical infrastructure networks of enterprises, government departments and private companies.

It's easy to fall victim to an attack

When a user visits an infected site, the malicious code transmits information about it to a remote server. Next, a pop-up window appears asking you to download an update for Flash Player, which is fake. If the user has approved the "Install / Install" operation, a file will be downloaded to the computer, which in turn will launch the Win32 / Filecoder.D encoder in the system. Further, access to the documents will be blocked, a ransom message will appear on the screen.

The Bad Rabbit virus scans the network for open network resources, after which it launches a tool to collect credentials on the infected machine, and this "behavior" differs from its predecessors.

Experts from the international antivirus software developer Eset NOD 32 confirmed that Bad Rabbit is a new modification of the Petya virus, the principle of which was the same - the virus encrypted information and demanded a ransom in bitcoins (the amount was comparable to Bad Rabbit - $ 300). The new malware fixes errors in file encryption. The code used in the virus is designed to encrypt logical drives, external USB drives and CD / DVD images, as well as bootable system disk partitions.

Speaking about the audience targeted by Bad Rabbit attacks, ESET Russia Sales Support Leader Vitaly Zemskikh stated that 65% of attacks stopped by the company's antivirus products occurred in Russia. Otherwise, the geography of the new virus looks like this:

Ukraine - 12.2%

Bulgaria - 10.2%

Turkey - 6.4%

Japan - 3.8%

others - 2.4%

“The ransomware uses the known software open source called DiskCryptor to encrypt the victim's disks. The lock message screen the user sees is almost identical to the Petya and NotPetya lock screens. However, this is the only similarity that we have observed so far between the two malware. In all other aspects, BadRabbit is a completely new and unique type of ransomware, "says CTO of Check Point Software Technologies. Nikita Durov.

How to protect yourself from Bad Rabbit?

Owners of operating systems other than Windows can breathe a sigh of relief, since the new ransomware virus makes only computers with this "axis" vulnerable.

To protect against network malware, experts recommend creating the file C: \\ windows \\ infpub.dat on your computer, while setting read-only rights for it - this is easy to do in the administration section. Thus, you will block the execution of the file, and all documents coming from the outside will not be encrypted, even if they are infected. In order not to lose valuable data in the event of a virus infection, make a backup (backup) now. And, of course, it's worth remembering that paying the ransom is a trap that doesn't guarantee you will unlock your computer.

We will remind, the virus in May this year has spread to at least 150 countries around the world. He encrypted information and demanded to pay a ransom, according to various sources, from $ 300 to $ 600. More than 200 thousand users have suffered from it. According to one version, its creators took the US NSA malware Eternal Blue as a basis.

Alla Smirnova spoke with experts

Bad Rabbit or Diskcoder ransomware D. It launches corporate networks of large and medium-sized organizations, blocking all networks.

Bad Rabbit or "bad rabbit" can hardly be called a pioneer - it was preceded by the ransomware Petya and WannaCry.

Bad Rabbit - what kind of virus

The spread of the new virus was investigated by the experts of the antivirus company ESET and found out that Bad Rabbit penetrated the computers of victims under the guise adobe updates Flash for the browser.

The antivirus company believes that the Win32 / Diskcoder.D encryptor, dubbed Bad Rabbit - modified version Win32 / Diskcoder.C, better known as Petya / NotPetya, which hit the IT systems of organizations in several countries in June. The association between Bad Rabbit and NotPetya is indicated by matches in the code.

The attack uses the Mimikatz program, which intercepts logins and passwords on the infected machine. Also, the code contains logins and passwords already registered for attempts to gain administrative access.

The new malicious program fixes errors in file encryption - the code used in the virus is designed to encrypt logical drives, external USB drives and CD / DVD images, as well as bootable system disk partitions. So the decryption experts will have to spend a lot of time to reveal the secret bad virus Rabbit, experts say.

The new virus, according to experts, operates according to a standard scheme for encryption providers - falling into the system from no one knows where, it encodes files to decode which hackers require a ransom in bitcoins.

Unlocking one computer will cost 0.05 bitcoin, which is about $ 283 at the current exchange rate. In case of payment of the ransom, the scammers will send a special key code that will restore the normal operation of the system and not lose everything.

If the user does not transfer funds within 48 hours, the ransom will grow.

However, it is worth remembering that paying the ransom can be a trap that does not guarantee that the computer will be unlocked.

ESET notes that there is currently no communication between the malware and the remote server.

The virus hit Russian users the most, and to a lesser extent companies in Germany, Turkey and Ukraine. The spread took place through infected media. Known infected sites have already been blocked.

ESET believes that the attack statistics largely correspond to the geographical distribution of sites containing malicious JavaScript.

How to protect yourself

Specialists of the Group-IB company, which is engaged in the prevention and investigation of cybercrime, gave recommendations on how to protect yourself from the Bad Rabbit virus.

In particular, to protect against a network pest, you need to create the file C: \\ windows \\ infpub.dat on your computer, and set read-only rights for it in the administration section.

By this action, the execution of the file will be blocked, and all documents coming from the outside will not be encrypted, even if they are infected. It is necessary to create a backup copy of all valuable data so that in case of infection it does not lose it.

Group-IB experts also advise blocking ip-addresses and domain names from which malicious files were distributed, and putting pop-up blockers on users.

It is also recommended to quickly isolate computers in the intrusion detection system. PC users should also check the relevance and integrity backups key network nodes and update operating systems and security systems.

"As regards the password policy: by using the Group Policy settings, prohibit storing passwords in LSA Dump in clear text. Change all passwords to complex ones," the company added.

Predecessors

The WannaCry virus in May 2017 spread to at least 150 countries around the world. He encrypted information and demanded to pay a ransom, according to various sources, from $ 300 to $ 600.

More than 200 thousand users have suffered from it. According to one of the versions, its creators took the US NSA malware Eternal Blue as a basis.

The global attack of the Petya ransomware virus on June 27 affected the IT systems of companies in several countries around the world, mostly affecting Ukraine.

The computers of oil, energy, telecommunications, pharmaceutical companies and government agencies were attacked. The cyber police of Ukraine said that the ransomware attack was carried out through the M.E.doc program.

Material prepared on the basis of open sources

Back in the late 1980s, the AIDS virus ("PC Cyborg"), written by Joseph Popp, hid directories and encrypted files, demanding about $ 200 for a "license renewal". At first, ransomware was only aimed at ordinary people using computers under windows management, but now the threat itself has become a serious problem for business: programs appear more and more, they are becoming cheaper and more accessible. Extortion using malware is the main cyber threat in 2/3 of the EU countries. One of the most widespread ransomware viruses, the CryptoLocker program has infected more than a quarter of a million computers in the EU since September 2013.

In 2016, the number of ransomware attacks increased sharply - according to analysts' estimates, more than a hundred times compared to the previous year. This is a growing trend, and, as we have seen, completely different companies and organizations are under attack. The threat is also relevant for non-profit organizations. Since for each major attack, malware is upgraded and tested by cybercriminals to "pass" through antivirus protection, antiviruses, as a rule, are powerless against them.

On October 12, the Security Service of Ukraine warned of the likelihood of new large-scale cyberattacks on government structures and private companies, similar to the June epidemic of the ransomware virus NotPetya... According to the Ukrainian secret service, "the attack can be carried out using updates, including publicly available application software." Recall that in the case of the attack NotPetya, which the researchers associated with the BlackEnergy group, the first victims were companies using the software of the Ukrainian developer of the document management system M.E.Doc.

Then, in the first 2 hours, energy, telecommunications and financial companies were attacked: Zaporozhyeoblenergo, Dneproenergo, Dnipro Electric Power System, Mondelez International, Oschadbank, Mars, Novaya Pochta, Nivea, TESA, Kiev Metro, computers of the Cabinet of Ministers and the Government of Ukraine, shops Auchan, Ukrainian operators (Kyivstar, LifeCell, UkrTeleCom), Privatbank, Boryspil airport.

Earlier, in May 2017, the WannaCry ransomware virus attacked 200,000 computers in 150 countries around the world. The virus has spread across networks of universities in China, Renault factories in France and Nissan in Japan, telecommunications company Telefonica in Spain and railway operator Deutsche Bahn in Germany. Due to blocked computers in UK clinics, operations had to be postponed, and regional divisions of the Russian Interior Ministry were unable to issue a driver's license. Researchers said North Korean hackers from Lazarus were behind the attack.

In 2017, ransomware viruses reached a new level: the use by cybercriminals of tools from the arsenals of the American special services and new distribution mechanisms led to international epidemics, the largest of which turned out to be WannaCry and NotPetya. Despite the scale of the infection, the ransomware themselves collected relatively insignificant amounts - most likely these were not attempts to make money, but to check the level of protection of the networks of the critical infrastructure of enterprises, government agencies and private companies.

The end of October this year was marked by the emergence of a new virus that actively attacked computers of corporate and home users. The new virus is a ransomware called Bad Rabbit, which means bad rabbit. This virus attacked the websites of several Russian media outlets. Later, the virus was found in the information networks of Ukrainian enterprises. The information networks of the subway, various ministries, international airports and others were attacked there. A little later, a similar virus attack was observed in Germany and Turkey, although its activity was significantly lower than in Ukraine and Russia.

A malicious virus is a special plug-in that encrypts its files after entering the computer. After the information has been encrypted, attackers try to get rewards from users for decrypting their data.

The spread of the virus

Experts from the ESET antivirus software laboratory analyzed the algorithm of the virus propagation path and came to the conclusion that it is a modified virus that has recently spread like the Petya virus.

The ESET laboratory specialists calculated that the distribution of malicious plugins was carried out from the 1dnscontrol.com resource and the IP address IP5.61.37.209. Several other resources are also associated with this domain and IP, including secure-check.host, webcheck01.net, secureinbox.email, webdefense1.net, secure-dns1.net, firewebmail.com.

Experts have investigated that the owners of these sites have registered many different resources, for example, through which, using spam mailings, they are trying to sell counterfeit medicines. ESET experts do not exclude that it was with the help of these resources, using spam mailing and phishing, that the main cyberattack was carried out.

How Bad Rabbit gets infected

Experts from the Computer Forensics Laboratory investigated how the virus got onto users' computers. It was revealed that in most cases the Bad Rabbit ransomware virus was distributed as an update to Adobe Flash... That is, the virus did not exploit any vulnerabilities operating system, and was installed by the users themselves, who, unknowingly, approved its installation, thinking that they were updating adobe plugin Flash. When the virus got into local area network, it stole logins and passwords from memory and spread itself to other computer systems.

How hackers extort money

After the ransomware virus has been installed on the computer, it encrypts the stored information. Then users receive a message stating that in order to gain access to their data, they should make a payment on the specified site on the darknet. To do this, you first need to install a special Tor browser. For the fact that the computer will be unlocked, the attackers extort payment in the amount of 0.05 bitcoin. As of today, at a price of 1 Bitcoin of $ 5,600, that's roughly $ 280 to unlock a computer. In order to make a payment, the user is given a time period equal to 48 hours. After this period has expired, if the required amount has not been transferred to the attacker's electronic account, the amount is increased.

How to protect yourself from the virus

  1. To protect yourself from infection with the Bad Rabbit virus, you should block access from the information environment to the above domains.
  2. For home users, you need to update the current windows versions as well as antivirus software. In this case, the malicious file will be detected as a ransomware virus, which will exclude the possibility of its installation on the computer.
  3. Those users who use the built-in antivirus of the operating windows systemsalready have protection against these ransomware. It is implemented in windows application Defender Antivirus.
  4. The developers of the anti-virus program from the Kaspersky Lab advise all users to periodically backup their data. In addition, experts recommend blocking the execution of the files c: \\ windows \\ infpub.dat, c: \\ WINDOWS \\ cscc.dat, and, if possible, prohibit the use of the WMI service.

Conclusion

Each of the computer users should remember that cybersecurity when working on the network should come first. Therefore, you should always monitor the use of only proven information resources and use carefully email and social networks... It is through these resources that various viruses are most often spread. Elementary rules of behavior in the information environment will eliminate the problems that arise during a virus attack.

Yesterday, October 24, 2017, major Russian media, as well as a number of Ukrainian state institutions of unknown attackers. Among the victims were Interfax, Fontanka and at least one other unnamed internet publication. Following the media, the Odessa International Airport, the Kiev Metro and the Ukrainian Ministry of Infrastructure also reported on the problems. According to analysts at Group-IB, the criminals also tried to attack banking infrastructures, but these attempts were unsuccessful. ESET experts, in turn, claim that the attacks affected users from Bulgaria, Turkey and Japan.

As it turned out, the interruptions in the work of companies and government agencies were not caused by massive DDoS attacks, but by a ransomware named Bad Rabbit (some experts prefer to write BadRabbit without a space).

Little was known about the malware and its mechanisms yesterday: it was reported that the ransomware was demanding a ransom in the amount of 0.05 bitcoin, and Group-IB experts said that the attack had been preparing for several days. For example, two JS scripts were found on the cybercriminals' website, and, judging by the information from the server, one of them was updated on October 19, 2017.

Now, although not even a day has passed since the start of the attacks, the analysis of the ransomware has already been carried out by experts from almost all the leading information security companies in the world. So what is Bad Rabbit, and should we expect a new ransomware epidemic like WannaCry or NotPetya?

How did Bad Rabbit cause disruption to major media outlets when it was fake Flash updates? According to ESET , Emsisoft and Fox-IT , after infection, the malware used the Mimikatz utility to extract passwords from LSASS, and also had a list of the most common logins and passwords. The malware used all this in order to spread via SMB and WebDAV to other servers and workstations located on the same network with the infected device. At the same time, experts from the above companies and employees of Cisco Talos believe that in this case there was no need for a tool stolen from the secret services that uses holes in SMB. Let me remind you that the WannaCry and NotPetya viruses were spread using this particular exploit.

However, experts still managed to find some similarities between Bad Rabbit and Petya (NotPetya). For example, the ransomware not only encrypts user files using the open source DiskCryptor, but modifies the MBR (Master Boot Record), after which it restarts the computer and displays a ransom message on the screen.

Although the message from the cybercriminals' demands is almost identical to the message from the NotPetya operators, the opinions of experts regarding the connection between Bad Rabbit and NotPetya differ slightly. For example, Intezer analysts calculated that the source code of the malware

Similar publications: