Organizations in Russia, Ukraine and a few hours later also the U.S. are under siege from Bad Rabbit, a new strain of ransomware which is basically a new, improved NotPetya version 2, the WSJ reported.

Other sources did not include the U.S. yet, but that is just a matter of time. The outbreak started Tuesday and froze computer systems in several European countries. Department of Homeland Security’s Computer Emergency Readiness Team issued an alert saying it had received “multiple reports” of infections.

Russia’s Interfax news agency reported on Twitter that the outbreak shut down some of its servers, forcing Interfax to rely on its Facebook account to deliver news.

Bad Rabbit Starts With Social Engineering

The outbreak appears to have started via files on hacked Russian media websites, using the popular social engineering trick of pretending to be an Adobe Flash installer. The ransomware demands a payment of 0.05 bitcoin, or about $275, from its victim, You have just 40 hours to pay.

This is NotPetya v2.0, much improved over the earlier version, and looks like it's the North Koreans again, who caused major disruptions to global corporations in June this year. Our friends at MalwareBytes blogged: "The code has many overlapping elements to the code of Petya/NotPetya, which suggests that the authors behind the attack are the same. Again, they tried to compose their malicious bundle out of stolen elements, however, the stolen Petya kernel has been substituted with a more advanced disk crypter in the form of a legitimate driver."

Encrypted data is recoverable after buying the key

It looks like the authors tried to improve upon previous mistakes and wrap up unfinished business. So far, it seems that in the current release, encrypted data is recoverable after buying the key, which means the BadRabbit attack is not as destructive as the previous one." They fixed a lot of bugs in the file encryption process.

Based on analysis by ESETEmsisoft, and Fox-IT, Bad Rabbit uses Mimikatz to extract credentials from the local computer's memory, and along with a list of hard-coded credentials, it tries to access servers and workstations on the same network via SMB and WebDAV.

MimiKatz is a well known tool to extract plaintexts passwords, hash, PIN code and kerberos tickets from memory, and can also perform pass-the-hash, pass-the-ticket or build Golden tickets, link to Github. As opposed to some public claims, Bad Rabbit does not use the EternalBlue vulnerability like the NotPetya outbreak.  It does scan internal network for open SMB shares though.

The hardcoded creds are hidden inside the code and include predictable usernames such as root, guest and administrator, and passwords straight out of a worst passwords list. (Note To Self: all user passwords need to be strong, step all employees through a strong password training module ASAP.)

You need to buy two separate decryption keys

As for Bad Rabbit, the ransomware is a so-called disk coder, similar to Petya and NotPetya. Bad Rabbit first encrypts files on the user's computer and then replaces the MBR (Master Boot Record). This means you need to buy two keys, one for the bootloader and one for the files themselves. This basically bricks the machine. More technical background at bleepingcomputer.

How to Inoculate a machine if your endpoint software does not block Bad Rabbit

  • Block execution of the files c:\windows\infpub.dat and c:\Windows\cscc.dat.
  • Disable the WMI service (if it’s possible in your environment) to prevent the malware from spreading over your network.

Read the full article here: