Bad Rabbit: Another Ransomware getting on the list

By: MicroWorld Technologies
 
 
Spread the Word
Listed Under

Tags:
Bad Rabbit
Escan
Ransomware

Industry:
Technology

Location:
Novi - Michigan - US

NOVI, Mich. - Oct. 26, 2017 - PRLog -- In the recent past, numerous Ransomware has been targeting Europe and using various methods, jumped laterally across the networks and propagated to other countries, effectively breaching all geo-political boundaries.

A new Ransomware dubbed as Bad Rabbit has been rapidly targeting systems across Europe and following the footsteps of WannaCry and NotPetya. However, unlike WannaCry, Bad Rabbit does not use Eternal Blue for spreading laterally, but uses Mimikatz to extract the credentials from memory and tries to access systems within the same network via SMB and WebDAV.

Apart from encrypting the files, it adds the string "encrypted" at the end of the file rather than changing the extension. Changing the file extension is quite prevalent with most of the ransomware.

The primary mode of delivery is via a Fake Flash Player installer and upon execution by the user; it would start encrypting the files and then modify the Master Boot Record, reboot the system and display the Ransomware Note.

eScan actively detects and mitigates this threat. Users should always ensure that they update their computer systems with the patches that are made available by Software Vendors. They should always exercise caution whenever any website presents to you an executable to be downloaded.

Bad Rabbit - Indicators of Compromise (IOC)

Hashes:

File Name: install_flash_player.exe

Hash      : 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

Detection: Trojan.GenericKD.6139887

File Name: dispci.exe

Hash      : 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93

Detection: Trojan.GenericKD.6139894

Files:

C:\Windows\infpub.dat

C:\Windows\System32\Tasks\drogon

C:\Windows\System32\Tasks\rhaegal

C:\Windows\cscc.dat

C:\Windows\dispci.exe

Registry entries:

HKLM\SYSTEM\CurrentControlSet\services\cscc

HKLM\SYSTEM\CurrentControlSet\services\cscc\Type   1

HKLM\SYSTEM\CurrentControlSet\services\cscc\Start  0

HKLM\SYSTEM\CurrentControlSet\services\cscc\ErrorControl   3

HKLM\SYSTEM\CurrentControlSet\services\cscc\ImagePath      cscc.dat

HKLM\SYSTEM\CurrentControlSet\services\cscc\DisplayName    Windows Client Side Caching DDriver

HKLM\SYSTEM\CurrentControlSet\services\cscc\Group  Filter

HKLM\SYSTEM\CurrentControlSet\services\cscc\DependOnService        FltMgr

HKLM\SYSTEM\CurrentControlSet\services\cscc\WOW64  1

Ransom Note:

Oops! Your files have been encrypted.

If you see this text, your files are no longer accessible.

You might have been looking for a way to recover your files.

Don't waste your time. No one will be able to recover them without our decryption service.

We guarantee that you can recover all your files safely. All you need to do is submit the payment and get the decryption password.

Visit our web service at caforssztxqzf2nm.onion

Your personal installation key#1:

Network Activity:

Local & Remote SMB Traffic on ports 137, 139, 445

caforssztxqzf2nm.onion

Files extensions targeted for encryption:

.3ds .7z .accdb .ai .asm .asp .aspx .avhd .back .bak .bmp .brw .c .cab .cc .cer .cfg .conf .cpp .crt .cs .ctl .cxx .dbf .der .dib .disk .djvu .doc .docx .dwg .eml .fdb .gz .h .hdd .hpp .hxx .iso .java .jfif .jpe .jpeg .jpg .js .kdbx .key .mail .mdb .msg .nrg .odc .odf .odg .odi .odm .odp .ods .odt .ora .ost .ova .ovf .p12 .p7b .p7c .pdf .pem .pfx .php .pmf .png .ppt .pptx .ps1 .pst .pvi .py .pyc .pyw .qcow .qcow2 .rar .rb .rtf .scm .sln .sql .tar .tib .tif .tiff .vb .vbox .vbs .vcb .vdi .vfd .vhd .vhdx .vmc .vmdk .vmsd .vmtm .vmx .vsdx .vsv .work .xls .xlsx .xml .xvd .zip

Embedded RSA-2048 Key:

MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5clDuVFr5sQxZ+feQlVvZcEK0k4uCSF5SkOkF9A3tR6O/xAt89/PVhowvu2TfBTRsnBs83hcFH8hjG2V5F5DxXFoSxpTqVsR4lOm5KB2S8ap4TinG/GN/SVNBFwllpRhV/vRWNmKgKIdROvkHxyALuJyUuCZlIoaJ5tB0YkATEHEyRsLcntZYsdwH1P+NmXiNg2MH5lZ9bEOk7YTMfwVKNqtHaX0LJOyAkx4NR0DPOFLDQONW9OOhZSkRx3V7PC3Q29HHhyiKVCPJsOW1l1mNtwL7KX+7kfNe0CefByEWfSBt1tbkvjdeP2xBnPjb3GE1GA/oGcGjrXc6wV8WKsfYQIDAQAB

Prevention Measures:

•   Administrators should block all executable files from being transmitted via emails.

•   Administrators should isolate the affected system in the Network.

•   The administrator can restore the encrypted files from the backup or from system restore point (if enabled) for affected systems.

•   Install and Configure eScan with all security modules active:

eScan Real-Time Monitoring

eScan Proactive protection

eScan Firewall IDS/IPS Intrusion prevention

•   Users shouldn't enable macros in documents.

•   Organizations should deploy and maintain a backup solution.

•   Most important, organizations should implement MailScan at the Gateway Level for mail servers, to contain the spread of suspicious attachments.

For more information, visit www.escanav.com

Contact
39555, Orchard Hill Place,
Suite 600, Novi, MI 48375
***@escanav.com
End
Email:***@escanav.com Email Verified
Tags:Bad Rabbit, Escan, Ransomware
Industry:Technology
Location:Novi - Michigan - United States
Account Email Address Verified     Account Phone Number Verified     Disclaimer     Report Abuse
eScan Anti-Virus PRs
Trending News
Most Viewed
Top Daily News



Like PRLog?
9K2K1K
Click to Share