What is the Bad Rabbit virus and how to protect your computer. Bad Rabbit: another ransomware virus

The ransomware known as Bad Rabbit has attacked tens of thousands of computers in Ukraine, Turkey and Germany. But most of the attacks were against Russia. What kind of virus is this and how to protect your computer, we tell in our section "Question and Answer".

Who suffered in Russia from Bad Rabbit?

The Bad Rabbit ransomware began to spread on October 24th. Among the victims of his actions are the Interfax news agency and the Fontanka.ru publication.

The Kyiv metro and Odessa airport also suffered from the actions of hackers. After it became known about an attempt to hack the system of several Russian banks from the top 20.

By all indications, this is a targeted attack on corporate networks, since methods similar to those observed during the attack of the ExPetr virus are used.

The new virus makes one demand for everyone: a ransom of 0.05 bitcoins. In terms of rubles, this is about 16 thousand rubles. At the same time, he informs that the time for fulfilling this requirement is limited. For everything about everything, a little more than 40 hours are given. Further, the ransom fee will increase.

What is this virus and how does it work?

Have you already figured out who is behind its distribution?

It has not been possible to find out who is behind this attack. The investigation only led the programmers to the domain name.

Specialists of antivirus companies note the similarity of the new virus with the Petya virus.

But, unlike previous viruses of this year, this time the hackers decided to take a simpler path, according to 1tv.ru.

“Apparently, the criminals expected that in most companies users would update their computers after these two attacks, and decided to try a fairly cheap tool - social engineering, in order to infect users relatively quietly at first,” said the head of the anti-virus research department at Kaspersky Lab. Vyacheslav Zakorzhevsky.

How to protect your computer from a virus?

Be sure to back up your system. If you use Kaspersky, ESET, Dr.Web or other popular analogues for protection, you should promptly update the databases. Also, for Kaspersky, you need to enable "Activity Monitoring" (System Watcher), and apply signatures with update 16295 to ESET, talkdevice informs.

If you don't have antivirus programs, block the execution of C:\Windows\infpub.dat and C:\Windows\cscc.dat files. This is done through the Group Policy Editor or the AppLocker program for Windows.

Disable the service - Windows Management Instrumentation (WMI). Through the right button, enter the properties of the service and select the "Disabled" mode in the "Startup type".

Third major cyberattack in a year. This time a virus with a new name Bad Rabbit and old habits - data encryption and extortion of money for unlocking. And in the affected area are still Russia, Ukraine and some other CIS countries.

The Bad Rabbit acts according to the usual scheme: it sends a phishing email with an attached virus or a link. In particular, attackers may pose as Microsoft technical support and ask them to urgently open an attached file or follow a link. There is another distribution route - a fake Adobe Flash Player update window. In both cases, Bad Rabbit acts in the same way as the sensational not so long ago, it encrypts the victim's data and demands a ransom of 0.05 bitcoin, which is approximately $280 at the exchange rate on October 25, 2017. The victims of the new epidemic were Interfax, the St. Petersburg edition of Fontanka, the Kyiv Metro, the Odessa airport and the Ministry of Culture of Ukraine. There is evidence that the new virus tried to attack several well-known Russian banks, but this idea failed. Experts link Bad Rabbit to previous major attacks recorded this year. Proof of this is the similar encryption software Diskcoder.D, and this is the same Petya encryptor, only slightly modified.

How to protect yourself from Bad Rabbit?

Experts recommend that owners of Windows computers create the "infpub.dat" file and place it in the Windows folder on the "C" drive. As a result, the path should look like this: C:\windows\infpub.dat. This can be done using a regular notepad, but with Administrator rights. To do this, we find the link to the Notepad program, right-click and select "Run as Administrator".

Then you just need to save this file to the address C:\windows\, that is, to the Windows folder on the C drive. Filename: infpub.dat, with "dat" being the file extension. Don't forget to replace the default notepad extension "txt" with "dat". After you save the file, open the Windows folder, find the created infpub.dat file, right-click on it and select "Properties", where at the very bottom you need to check "Read Only". Thus, even if you catch the Bad Rabbit virus, it will not be able to encrypt your data.

Preventive measures

Do not forget that you can protect yourself from any virus simply by following certain rules. It sounds trite, but never open letters, and even more so their attachments, if the address seems suspicious to you. Phishing emails, that is, masquerading as other services, are the most common method of infection. Be careful what you open. If the attached file is called “Important document.docx_______.exe” in the letter, then you definitely should not open this file. In addition, you need to have backup copies of important files. For example, a family archive with photos or working documents can be duplicated on an external drive or cloud storage. Do not forget how important it is to use a licensed version of Windows and install updates regularly. Security patches are released by Microsoft on a regular basis and those who install them do not have problems with such viruses.

The end of October this year was marked by the emergence of a new virus that actively attacked the computers of corporate and home users. The new virus is a ransomware and is called Bad Rabbit, which means bad rabbit. With the help of this virus, the websites of several Russian mass media were attacked. Later, the virus was also found in the information networks of Ukrainian enterprises. The information networks of the subway, various ministries, international airports and so on were attacked there. A little later, a similar virus attack was observed in Germany and Turkey, although its activity was significantly lower than in Ukraine and Russia.

A malicious virus is a special plug-in that, after it enters a computer, encrypts its files. Once the information has been encrypted, attackers try to get rewards from users for decrypting their data.

Spread of the virus

Experts from the ESET anti-virus software development laboratory analyzed the algorithm of the virus propagation path and came to the conclusion that it is a modified virus that recently spread like the Petya virus.

ESET laboratory experts have calculated that malicious plugins were distributed from the 1dnscontrol.com resource and the IP address IP5.61.37.209. Several more resources are also associated with this domain and IP, including secure-check.host, webcheck01.net, secureinbox.email, webdefense1.net, secure-dns1.net, firewebmail.com.

Specialists investigated that the owners of these sites registered many different resources, for example, those through which, with the help of spam mailings, they try to sell counterfeit medicines. ESET specialists do not exclude that it was with the help of these resources, using spam and phishing, that the main cyber attack was carried out.

How does the Bad Rabbit virus get infected?

Specialists of the computer forensics laboratory investigated how the virus got on users' computers. It was found that in most cases the Bad Rabbit ransomware virus was distributed as an update to Adobe Flash. That is, the virus did not use any operating system vulnerabilities, but was installed by the users themselves, who, unaware of this, approved its installation, thinking that they were updating the Adobe Flash plugin. When the virus entered the local network, it would steal logins and passwords from the memory and spread to other computer systems on its own.

How hackers extort money

After the ransomware virus has been installed on the computer, it encrypts the stored information. Next, users receive a message indicating that in order to access their data, they must make a payment on the specified dark web site. To do this, you first need to install a special Tor browser. For the fact that the computer will be unlocked, the attackers extort payment in the amount of 0.05 bitcoins. Today, at a price of $5600 for 1 Bitcoin, this is approximately $280 for unlocking a computer. In order to make a payment, the user is given a time period equal to 48 hours. After this period, if the required amount has not been transferred to the attacker's electronic account, the amount increases.

How to protect yourself from the virus

1. To protect yourself from infection with the Bad Rabbit virus, you should block access from the information environment to the above domains.
2. For home users, you need to update the current version of Windows as well as the antivirus program. In this case, the malicious file will be detected as a ransomware virus, which will exclude the possibility of its installation on the computer.
3. Those users who use the built-in antivirus of the Windows operating system already have protection against these ransomware. It is implemented in the Windows Defender Antivirus application.
4. The developers of the anti-virus program from the Kaspersky Lab advise all users to periodically back up their data. In addition, experts recommend blocking the execution of c:\windows\infpub.dat, c:\WINDOWS\cscc.dat files, and, if possible, disable the use of the WMI service.

Conclusion

Each of the computer users should remember that cybersecurity should come first when working on the network. Therefore, you should always monitor the use of only verified information resources and carefully use e-mail and social networks. It is through these resources that the spread of various viruses is most often carried out. Elementary rules of behavior in the information environment will eliminate the problems that arise during a virus attack.

Yesterday, October 24, 2017, major Russian media, as well as a number of Ukrainian government agencies, unknown intruders. Interfax, Fontanka, and at least one other unnamed online publication were among the victims. Following the media, the problems were also reported by the Odessa International Airport, the Kyiv Metro and the Ukrainian Ministry of Infrastructure. According to Group-IB analysts, the criminals also tried to attack banking infrastructures, but these attempts were unsuccessful. ESET specialists, in turn, claim that the attacks affected users from Bulgaria, Turkey and Japan.

As it turned out, disruptions in the work of companies and government agencies were not caused by massive DDoS attacks, but by a ransomware that goes by the name of Bad Rabbit (some experts prefer to write BadRabbit without a space).

Little was known about the malware and its mechanisms yesterday: it was reported that the ransomware was demanding a ransom of 0.05 bitcoins, and Group-IB experts said that the attack had been in preparation for several days. So, two JS scripts were found on the site of the attackers, and, judging by the information from the server, one of them was updated on October 19, 2017.

Now, although less than a day has passed since the attacks began, experts from almost all the leading information security companies in the world have already analyzed the ransomware. So, what is Bad Rabbit, and should we expect a new "ransomware epidemic" like WannaCry or NotPetya?

How did Bad Rabbit manage to disrupt the mainstream media if it was fake updates to Flash? According to ESET , Emsisoft And Fox IT, after infection, the malware used the Mimikatz utility to extract passwords from LSASS, and also had a list of the most common logins and passwords. The malware used all this to spread via SMB and WebDAV to other servers and workstations located on the same network as the infected device. At the same time, experts from the companies listed above and employees of Cisco Talos believe that in this case there was no tool stolen from special services that uses gaps in SMB. Let me remind you that the WannaCry and NotPetya viruses were distributed using this particular exploit.

However, experts still managed to find some similarities between Bad Rabbit and Petya (NotPetya). So, the ransomware does not just encrypt user files using the open-source DiskCryptor, but modifies the MBR (Master Boot Record), after which it reboots the computer and displays a ransom message on the screen.

Although the message with the demands of the attackers is almost identical to the message from the operators of NotPetya, the opinions of experts regarding the connection between Bad Rabbit and NotPetya differ slightly. Thus, Intezer analysts calculated that the source code of malware

It may be a harbinger of the third wave of ransomware viruses, according to Kaspersky Lab. The first two were the sensational WannaCry and Petya (aka NotPetya). Cybersecurity experts spoke to MIR 24 about the emergence of a new network malware and how to defend against its powerful attack.

Most of the victims of the Bad Rabbit attack are in Russia. On the territory of Ukraine, Turkey and Germany, there are much fewer of them, said the head of the anti-virus research department at Kaspersky Lab Vyacheslav Zakorzhevsky. Probably, the countries where users actively follow Russian Internet resources turned out to be the second most active.

When malware infects a computer, it encrypts files on it. It spreads via web traffic from hacked Internet resources, among which were mainly the websites of the federal Russian media, as well as computers and servers of the Kiev metro, the Ukrainian Ministry of Infrastructure, and the Odessa International Airport. An unsuccessful attempt to attack Russian banks from the top 20 was also recorded.

The fact that Fontanka, Interfax and a number of other publications were attacked by Bad Rabbit was reported yesterday by Group-IB, a company specializing in information security. Analysis of the virus code showed that Bad Rabbit is associated with the Not Petya ransomware, which in June this year attacked energy, telecommunications and financial companies in Ukraine.

The attack was prepared for several days and, despite the scale of the infection, the ransomware demanded relatively small amounts from the victims of the attack - 0.05 bitcoins (about $283 or 15,700 rubles). You have 48 hours to redeem. After the expiration of this period, the amount increases.

Group-IB specialists believe that most likely the hackers have no intention of making money. Their likely goal is to test the level of protection of critical infrastructure networks of enterprises, government departments and private companies.

It's easy to be attacked

When a user visits an infected site, the malicious code sends information about the user to a remote server. Next, a pop-up window appears asking you to download an update for Flash Player, which is fake. If the user approved the "Install" operation, a file will be downloaded to the computer, which in turn will launch the Win32/Filecoder.D encoder in the system. Further, access to documents will be blocked, a ransom message will appear on the screen.

The Bad Rabbit virus scans the network for open network resources, after which it launches a credential collection tool on the infected machine, and this “behavior” differs from its predecessors.

Specialists of the international developer of anti-virus software Eset NOD 32 confirmed that Bad Rabbit is a new modification of the Petya virus, the principle of which was the same - the virus encrypted information and demanded a ransom in bitcoins (the amount was comparable to Bad Rabbit - $ 300). The new malware fixes bugs in file encryption. The code used in the virus is designed to encrypt logical drives, external USB drives and CD/DVD images, as well as bootable disk partitions.

Speaking about the audience that was attacked by Bad Rabbit, Head of Sales Support ESET Russia Vitaly Zemsky stated that 65% of the attacks stopped by the company's antivirus products fall on Russia. The rest of the geography of the new virus looks like this:

Ukraine - 12.2%

Bulgaria - 10.2%

Turkey - 6.4%

Japan - 3.8%

others - 2.4%

“The ransomware uses a well-known open source software called DiskCryptor to encrypt the victim’s drives. The lock message screen that the user sees is almost identical to the Petya and NotPetya lock screens. However, this is the only similarity we have seen so far between the two malware. In all other aspects, BadRabbit is a completely new and unique type of ransomware,” says the CTO of Check Point Software Technologies. Nikita Durov.

How to protect yourself from Bad Rabbit?

Owners of operating systems other than Windows can breathe a sigh of relief, as the new ransomware virus only makes computers with this “axis” vulnerable.

To protect against network malware, experts recommend creating the C:\windows\infpub.dat file on your computer, while setting its read-only rights - this is easy to do in the administration section. In this way, you will block the execution of the file, and all documents coming from outside will not be encrypted even if they turn out to be infected. In order not to lose valuable data in case of infection with a virus, make a backup (backup copy) now. And, of course, it is worth remembering that paying a ransom is a trap that does not guarantee you unlocking your computer.

Recall that the virus in May of this year spread to at least 150 countries around the world. He encrypted the information and demanded to pay a ransom, according to various sources, from 300 to 600 dollars. More than 200 thousand users suffered from it. According to one version, its creators took the US NSA malware Eternal Blue as a basis.

Alla Smirnova spoke with experts