"Bad Rabbit: New Petya-like Ransomware Rapidly Spreading Across Europe A new widespread ransomware attack is spreading like wildfire around Europe and has already affected over 200 major organisations, primarily in Russia, Ukraine, Turkey and Germany, in the past few hours... Dubbed "Bad Rabbit," is reportedly a new Petya-like targeted ransomware attack against corporate networks, demanding 0.05 bitcoin (~ $285) as ransom from victims to unlock their systems. According to an initial analysis provided by the Kaspersky, the ransomware was distributed via drive-by download attacks, using fake Adobe Flash players installer to lure victims' in to install malware unwittingly... However, security researchers at ESET have detected Bad Rabbit malware as 'Diskcoder.D' — a new variant of Petya ransomware, also known as Petrwrap, NotPetya, exPetr and GoldenEye... ESET believes the new wave of ransomware attack is using EternalBlue exploit — the same leaked SMB vulnerability which was used by WannaCry and Petya ransomware to spread through networks... The affected organisations include Russian news agencies Interfax and Fontanka, payment systems on the Kiev Metro, Odessa International Airport and the Ministry of Infrastructure of Ukraine..." https://thehackernews.com/2017/10/bad-rabbit-ransomware-attack.html
"New 'Bad Rabbit' ransomware attack spreading across Europe... ...It's not yet clear, Kaspersky says, whether it's possible to recover the files encrypted by Bad Rabbit. However, Kaspersky says you can protect yourself by blocking execution of files "c: \ windows \ infpub.dat" and "C: \ Windows \ cscc.dat." If you are infected, experts advise against paying the ransom..." https://www.windowscentral.com/new-...tm_campaign=Feed: wmexperts (Windows Central)
"BadRabbit Ransomware Attacks Hitting Russia, Ukraine... Researchers at ESET, meanwhile, have said that the disk encryption executable can be spread via SMB. The Mimikatz pen-testing tool is also launched on the compromised machine and steals credentials in addition to a list of hardcoded usernames and passwords..." https://threatpost.com/badrabbit-ransomware-attacks-hitting-russia-ukraine/128593/
If you're totally "security ignorant," you could get nailed. Or, if you have disabled UAC: https://threatpost.com/badrabbit-ransomware-attacks-hitting-russia-ukraine/128593/
Cybereason researcher discovers vaccine for Bad Rabbit Ransomware https://www.cybereason.com/blog/cybereason-researcher-discovers-vaccine-for-badrabbit-ransomware
"Small Amount of Bad Rabbit Ransomware Victims Detected in the USA. Though the USA and other western countries were not specifically targeted by this campaign, according to cybersecurity and antivirus vendor Avast, Bad Rabbit has now been detected in the USA. 'Avast Software @avast_antivirus #BadRabbit now detected in the U.S. We expect a growing number of detections in the hours ahead. 5:44 PM - Oct 24, 2017'... How did Bad Rabbit make it to the United States? It is important to remember that Bad Rabbit attempts to spread laterally through an organization's network via SMB. It does this with account information stolen from the victim using Mimikatz or by trying an embedded list of common account names and passwords. Theoretically, if a U.S. organization had infected partners in the targeted regions and were on the same WAN with SMB access, Bad Rabbit could have spread laterally to the computers located in the USA..." https://www.bleepingcomputer.com/ne...bbit-ransomware-victims-detected-in-the-usa-/
"Bad Rabbit Linked to ExPetr/Not Petya Attacks A link has been confirmed between the Bad Rabbit ransomware outbreak detected yesterday in major organizations in Russia and Ukraine and this summer’s ExPetr/Not Petya attacks. Researchers at Kaspersky Lab said there are “clear ties” between the two attacks though one major piece of the puzzle is missing with Bad Rabbit... Kaspersky Lab researchers said they have found no evidence of EternalBlue—or EternalRomance, another NSA-developed attack that was publicly disclosed by the ShadowBrokers and used in the ExPetr attacks—in yesterday’s attack... 'The hashing algorithm used in the Bad Rabbit attack is similar to the one used by ExPetr. Further, experts have found that both attacks use the same domains; and similarities in the respective source codes indicate that the new attack is linked to the creators of ExPetr,'..." https://threatpost.com/bad-rabbit-linked-to-expetrnot-petya-attacks/128611/
Security Firms Say Bad Rabbit Attack Carried Out by NotPetya Group https://www.bleepingcomputer.com/ne...-rabbit-attack-carried-out-by-notpetya-group/
"Bad Rabbit used NSA “EternalRomance” exploit to spread, [Cisco] researchers say... Despite early reports that there was no use of National Security Agency-developed exploits in this week's crypto-ransomware outbreak, research released by Cisco Talos suggests that the ransomware worm known as "Bad Rabbit" did in fact use a stolen Equation Group exploit revealed by Shadowbrokers to spread across victims' networks. The attackers used EternalRomance, an exploit that bypasses security over Server Message Block (SMB) file-sharing connections, enabling remote execution of instructions on Windows clients and servers. The code closely follows an open source Python implementation of a Windows exploit that used EternalRomance (and another Equation Group tool, EternalSynergy), leveraging the same methods revealed in the Shadowbrokers code release. NotPetya also leveraged this exploit..." https://arstechnica.com/information...nalromance-exploit-to-spread-researchers-say/ "...'This is a different implementation of the EternalRomance exploit,” said Martin Lee, technical lead of security research for Cisco’s research arm, Talos. “It’s different code from what we saw used in NotPetya, but exploiting the same vulnerability in a slightly different implementation.'..." https://threatpost.com/eternalromance-exploit-found-in-bad-rabbit-ransomware/128645/
You do really have to wonder about the state of security in the Ukraine and Russia since this exploit was patched months ago. Also for clarification the initial exploiting is not done by EternalBlue: http://www.securityweek.com/bad-rabbit-ransomware-uses-nsa-exploit-spread Also the network propagation was not done exclusively via SMBv1 but using a number of legit Windows features: http://blog.talosintelligence.com/2017/10/bad-rabbit.html
In light that this attack used EternalRomance, might be good to review what security solutions block it. Eset was the only once that outright blocked EternalRomance in this ad hoc test by MRG: https://www.mrg-effitas.com/eternalromance-vs-internet-security-suites-and-nextgen-protections/ Of note about EternalRomance: Hence the use of Mimikatz in this attack to gain credentials as noted in the Cisco analysis.
Now this is very interesting indeed! Appears we have entered the next NSA exploit phase where malware developers are launching their own modified versions of them What has not been answered is if the previous Windows patches deployed will work against these modified versions? And do these new versions work against Win 8/10? https://www.bleepingcomputer.com/news/security/bad-rabbit-ransomware-outbreak-also-used-nsa-exploit/
Files Encrypted by Bad Rabbit Recoverable Without Paying Ransom http://www.securityweek.com/files-encrypted-bad-rabbit-recoverable-without-paying-ransom
Interesting, didn't know they also tested security tools against EternalRomance. Good to see that all of them could at least stop the payload.
I did some reading on the attack yesterday and appears that although this EternalRomance exploit has been modified, the previous MS patch will stop it. Make sense since all that was patched was the SMBv1 vulnerability. If the patched has been applied, the attack with employ WMI, namely WMIC. Also in case you missed the prior posting, an unpatched device is not enough for EternalRomance to work by itself; credential access is required. Hence the use of Mimikatz to perform credential stealing via lsass.exe hack. The outstanding question is if this attack employed the Mimikatz enhancement to bypass lsass.exe protected mode?
Check out this article, it shows how Endgame could stop the attack in various stages, this is the stuff that I love. Apparently, it could detect the malware sample via AI/ML (no signatures needed), but even after that it could block code injection and credential dumping. The only thing it needs to add is detection for rapid file modification, because if I understood correctly, it can't stop this, which is a bit weird. https://www.endgame.com/blog/technical-blog/falling-trap-how-endgame-platform-stops-badrabbit
Endgame is clearly an Enterprise product out of most members price range. But there are other products that can accomplish the same thing.
Yes correct, but I do believe Endgame is a bit more advanced then most consumer HIPS/AE products. And that's why I'm also a bit frustrated, would have loved to see a bit more innovation. Also, I don't think there are any AV's for consumers who can block malware with AI/ML only.
Rasheed, you don't need that expensive stuff. You can accomplish the same thing what's available to us. But you are going to have to let go of some of your preconceived ideas.
Yes I know you can stay safe without this but I would love to see this stuff in implemented in HIPS like SpyShelter for example. It's widely known that most HIPS, both standalone and the ones integrated with AV's are not that good in blocking advanced code injection methods.
