It may be a harbinger of the third wave of ransomware viruses, Kaspersky Lab believes. The first two were the sensational WannaCry and Petya (aka NotPetya). Cybersecurity experts told MIR 24 about the emergence of a new network malware and how to protect against its powerful attack.
Most of the victims of the Bad Rabbit attack are in Russia. There are significantly fewer of them on the territory of Ukraine, Turkey and Germany, noted the head of the anti-virus research department at Kaspersky Lab. Vyacheslav Zakorzhevsky... Probably the second most active countries were those where users actively follow Russian Internet resources.
When malware infects a computer, it encrypts files on it. It is spread using web traffic from hacked Internet resources, among which were mainly the sites of federal Russian media, as well as computers and servers of the Kiev metro, the Ukrainian Ministry of Infrastructure, and the Odessa International Airport. An unsuccessful attempt to attack Russian banks from the top 20 was also recorded.
The fact that Fontanka, Interfax and a number of other publications were attacked by Bad Rabbit was reported yesterday by Group-IB - it specializes in information security... Analysis of the virus code showed that Bad Rabbit is associated with Not Petya ransomware, which in Junethis year attacked energy, telecommunications and financial companies in Ukraine.
The attack was being prepared for several days and, despite the scale of the infection, the ransomware demanded relatively small amounts from the victims of the attack - 0.05 bitcoins (this is about $ 283 or 15,700 rubles). The ransom will have 48 hours. After the expiration of this period, the amount increases.
Group-IB experts believe that, most likely, the hackers have no intention of making money. Their likely goal is to test the level of protection of the critical infrastructure networks of enterprises, government agencies and private companies.
It's easy to fall victim to an attack
When a user visits an infected site, the malicious code transmits information about it to a remote server. Next, a pop-up window appears asking you to download the update for Flash Playerwhich is fake. If the user has approved the "Install / Install" operation, a file will be downloaded to the computer, which in turn will launch the Win32 / Filecoder.D encoder in the system. Further, access to the documents will be blocked, a ransom message will appear on the screen.
The Bad Rabbit virus scans the network for open network resources, after which it launches a tool to collect credentials on the infected machine, and this "behavior" differs from its predecessors.
Experts from the international antivirus software developer Eset NOD 32 confirmed that Bad Rabbit is a new modification of the Petya virus, the principle of which was the same - the virus encrypted information and demanded a ransom in bitcoins (the amount was comparable to Bad Rabbit - $ 300). The new malware fixes errors in file encryption. The code used in the virus is designed to encrypt logical drives, external USB drives and CD / DVD images, as well as bootable system partitions.
Speaking about the audience that was attacked by Bad Rabbit, Head of Sales Support, ESET Russia Vitaly Zemskikh stated that 65% of attacks stopped by the company's antivirus products occurred in Russia. Otherwise, the geography of the new virus looks like this:
Ukraine - 12.2%
Bulgaria - 10.2%
Turkey - 6.4%
Japan - 3.8%
others - 2.4%
“The ransomware uses well-known software with open source called DiskCryptor to encrypt the victim's disks. The lock message screen the user sees is almost identical to the Petya and NotPetya lock screens. However, this is the only similarity that we have observed so far between the two malware. In all other aspects, BadRabbit is a completely new and unique type of ransomware, ”says CTO of Check Point Software Technologies. Nikita Durov.
How to protect yourself from Bad Rabbit?
Owners operating systemsnon-Windows can breathe a sigh of relief, since the new ransomware virus makes only computers with this "axis" vulnerable.
To protect against network malware, experts recommend creating the file C: \\ windows \\ infpub.dat on your computer, while setting read-only rights for it - this is easy to do in the administration section. Thus, you will block the execution of the file, and all documents coming from the outside will not be encrypted, even if they are infected. In order not to lose valuable data in the event of a virus infection, make a backup now ( backup). And, of course, it's worth remembering that paying the ransom is a trap that doesn't guarantee you will unlock your computer.
We will remind, the virus in May this year has spread to at least 150 countries around the world. He encrypted information and demanded to pay a ransom, according to various sources, from $ 300 to $ 600. More than 200 thousand users have suffered from it. According to one of the versions, its creators took the US NSA malware Eternal Blue as a basis.
Alla Smirnova spoke with experts
Back in the late 1980s, the AIDS virus ("PC Cyborg"), written by Joseph Popp, hid directories and encrypted files, demanding about $ 200 for a "license renewal." At first, ransomware was aimed only at ordinary people using computers running Windows, but now the threat itself has become a serious problem for business: programs are growing, they are becoming cheaper and more accessible. Extortion using malware is the main cyber threat in 2/3 of the EU countries. One of the most widespread ransomware viruses, the CryptoLocker program has infected over a quarter of a million computers in the EU since September 2013.
In 2016, the number of ransomware attacks increased sharply - according to analysts' estimates, more than a hundred times compared to the previous year. This is a growing trend, and, as we have seen, completely different companies and organizations are under attack. The threat is also relevant for non-profit organizations. Since for every major attack malware are modernized and tested by cybercriminals for "passing" through the anti-virus protection, antiviruses, as a rule, are powerless against them.
On October 12, the Security Service of Ukraine warned of the likelihood of new large-scale cyberattacks on government structures and private companies, similar to the June epidemic of the ransomware virus NotPetya... According to the Ukrainian secret service, "the attack can be carried out using updates, including publicly available application software." Recall that in the case of the attack NotPetya, which the researchers associated with the BlackEnergy group, the first victims were companies using the software of the Ukrainian developer of the document management system M.E.Doc.
Then, in the first 2 hours, energy, telecommunications and financial companies were attacked: Zaporozhyeoblenergo, Dneproenergo, Dnipro Electric Power System, Mondelez International, Oschadbank, Mars, "New Mail", Nivea, TESA, Kiev Metro, computers of the Cabinet of Ministers and the Government of Ukraine, shops Auchan, Ukrainian operators (Kyivstar, LifeCell, UkrTeleCom), Privatbank, Boryspil airport.
A little earlier, in May 2017, wannaCry ransomware virus attacked 200,000 computers in 150 countries around the world. The virus has spread across networks of universities in China, Renault factories in France and Nissan in Japan, telecommunications company Telefonica in Spain, and railway operator Deutsche Bahn in Germany. Due to blocked computers in UK clinics, operations had to be postponed, and regional divisions of the Russian Ministry of Internal Affairs were unable to issue a driver's license. Researchers said North Korean hackers from Lazarus were behind the attack.
In 2017, ransomware viruses reached a new level: the use by cybercriminals of tools from the arsenals of the American special services and new distribution mechanisms led to international epidemics, the largest of which turned out to be WannaCry and NotPetya. Despite the scale of the infection, the ransomware themselves collected relatively insignificant amounts - most likely these were not attempts to make money, but to check the level of protection of the networks of the critical infrastructure of enterprises, government agencies and private companies.
I greet you, dear visitors and guests of this blog! Today another ransomware virus has appeared in the world by the name: “ Bad rabbit» — « Evil rabbit". This is the third sensational ransomware in 2017. The previous ones were also (aka NotPetya).
Bad Rabbit - Who has already suffered and how much money is required?
So far, presumably, several Russian media have suffered from this ransomware, among them Interfax and Fontanka. Also about a hacker attack - possibly related to the same Bad Rabbit - reports the Odessa airport.
For decrypting files, the attackers demand 0.05 bitcoin, which at the current exchange rate is approximately equivalent to $ 283 or 15,700 rubles.
The results of the Kaspersky Lab's research indicate that no exploits are used in the attack. Bad Rabbit spreads through infected websites: users download a fake Adobe Flash installer, manually launch it, and thereby infect their computers.
According to Kaspersky Lab, experts are investigating this attack and looking for ways to combat it, as well as looking for a way to decrypt files damaged by the ransomware.
Most of the victims of the attack are in Russia. It is also known that similar attacks occur in Ukraine, Turkey and Germany, but in much smaller numbers. Cryptographer Bad rabbit spreads through a number of infected Russian media sites.
Kapersky's Laboratory believes that all the signs indicate that this is a targeted attack on corporate networks. The methods used are similar to those we observed in the ExPetr attack, but we cannot confirm the connection with ExPetr.
It is already known that Kaspersky Lab products detect one of the malware components using a cloud service Kaspersky Security Network as UDS: DangerousObject.Multi.Generic, and also using System Watcher as PDM: Trojan.Win32.Generic.
How to protect yourself from Bad Rabbit virus?
To avoid falling victim to the new Bad Rabbit epidemic, Kaspersky Lab»We recommend that you do the following:
If you have Kaspersky Anti-Virus installed, then:
- Check if the components Kaspersky Security Network and System Watcher (aka System Watcher) are enabled in your security solution. If not, be sure to turn it on.
For those who do not have this product:
- Block the execution of the file c: \\ windows \\ infpub.dat, C: \\ Windows \\ cscc.dat. This can be done through.
- Disable (if possible) the use of the WMI service.
Another very important tip from me:
Always do backup (backup - backup ) important files. On removable media, in cloud services! It will save your nerves, money and time!
I wish you will not catch this infection on your PC. Clean and safe Internet for you!
The third large-scale cyber attack in a year. This time a virus with a new name Bad Rabbit and old habits - data encryption and extortion of money for unlocking. And Russia, Ukraine and some other CIS countries are still in the affected area.
Bad Rabbit follows the usual pattern: he sends a phishing email with an attached virus or link. In particular, cybercriminals may introduce themselves as Microsoft technical support and ask to urgently open an attached file or follow a link. There is another distribution route - a fake Adobe Flash Player update window. In both cases, Bad Rabbit acts in the same way as the sensational one not so long ago, it encrypts the victim's data and demands a ransom in the amount of 0.05 bitcoin, which is about $ 280 at the exchange rate on October 25, 2017. The victims of the new epidemic were Interfax, the St. Petersburg edition of Fontanka, the Kiev Metropolitan, the Odessa airport and the Ministry of Culture of Ukraine. There is evidence that the new virus tried to attack several well-known Russian banks, but this venture failed. Experts associate Bad Rabbit with previous major attacks this year. The proof of this is the similar encryption software Diskcoder.D, and this is the same Petya ransomware, only slightly modified.
How to protect yourself from Bad Rabbit?
Experts recommend to owners Windows computers create a file "infpub.dat" and place it in windows folder on disk "C". As a result, the path should look like this: C: \\ windows \\ infpub.dat. This can be done using a regular notepad, but with Administrator rights. To do this, find a link to the "Notepad" program, right-click and select "Run as Administrator".
Then you just need to save this file at C: \\ windows \\, \u200b\u200bthat is, in the Windows folder on the "C" drive. File name: infpub.dat, with "dat" being the file extension. Remember to replace the standard notepad extension "txt" with "dat". After you save the file, open the Windows folder, find the created infpub.dat file, right-click on it and select "Properties", where at the very bottom you need to check the "Read only" checkbox. Thus, even if you catch the Bad Rabbit virus, it will not be able to encrypt your data.
Preventive measures
Do not forget that you can protect yourself from any virus simply by following certain rules. It sounds corny, but never open letters, let alone their attachments, if the address seems suspicious to you. Phishing emails, that is, masquerading as other services, are the most common method of infection. Watch closely what you open. If the attached file is named "Important document.docx _______. Exe" in the letter, then you definitely should not open this file. In addition, you need to have backups of important files. For example, a family archive with photos or work documents can be duplicated to an external drive or to cloud storage. Remember how important it is to use a licensed windows version and install updates regularly. Security patches are released by Microsoft on a regular basis and those who install them have no problems with such viruses.
The ransomware virus known as Bad Rabbit has attacked tens of thousands of computers in Ukraine, Turkey and Germany. But most of the attacks fell on Russia. What kind of virus it is and how to protect your computer, we will tell you in our section "Questions and Answers".
Who suffered in Russia from Bad Rabbit?
The Bad Rabbit ransomware virus began spreading on October 24. Among the victims of his actions are the Interfax news agency and the Fontanka.ru publication.
Also, the Kiev metro and the Odessa airport suffered from the actions of hackers. Then it became known about an attempt to hack the system of several Russian banks from the top 20.
By all indications, this is a targeted attack on corporate networks, since it uses methods similar to those observed during the ExPetr virus attack.
The new virus makes one demand for everyone: a ransom of 0.05 bitcoin. In terms of rubles, this is about 16 thousand rubles. At the same time, he informs that the time to fulfill this requirement is limited. A little over 40 hours are given for everything. Further, the ransom fee will increase.
What is this virus and how does it work?
Have you already figured out who is behind its spread?
It has not yet been possible to find out who is behind this attack. The investigation only led the programmers to the domain name.
Experts from antivirus companies note the similarity of the new virus to the Petya virus.
But, unlike past viruses of this year, this time the hackers decided to go the simple way, reports 1tv.ru.
"Apparently, the criminals expected that in most companies users will update their computers after these two attacks, and decided to try a fairly cheap tool - social engineering in order to infect users relatively unnoticed for the first time," said the head of the anti-virus research department at Kaspersky Lab. Vyacheslav Zakorzhevsky.
How to protect your computer from a virus?
Be sure to back up your system. If you use Kaspersky, ESET, Dr.Web or other popular analogues for protection, you should promptly update the databases. Also, for Kaspersky it is necessary to enable "Monitoring of activity" (System Watcher), and in ESET to apply signatures with update 16295, informs talkdevice.
If you do not have antivirus software, block the execution of the C: \\ Windows \\ infpub.dat and C: \\ Windows \\ cscc.dat files. This is done through the Group Policy Editor or AppLocker for Windows.
Prevent the service from running - Windows Management Instrumentation (WMI). Through the right button enter the properties of the service and select the "Disabled" mode in the "Startup type".
