Wednesday, October 25, 2017
Research on BadRabbit Ransomware
From Eskenzi PR:
"Nozomi Networks has taken a look into the BadRabbit Ransomware that hit Russia and Ukraine yesterday affecting systems at three Russian websites, transport systems in Ukraine, including an airport and an underground railway in Kiev.
"Moreno Carullo, Co-Founder and Chief Technical Officer for Nozomi Networks says, “Our research shows that the group behind Bad Rabbit have spent considerable time creating their ‘infection-network,’ going back at least to July, with the majority of sites relating to media and news.When a victim visits what they believe is a legitimate site, they are instructed to download an Adobe Flash installer/update. Given that the attackers are targeting media and news sites, that have previously employed Flash to enhance the visitor experience, this request may not immediately arouse suspicion – but it should! If the user follows the redirection the attack begins and the ransomware dropper (distributed from: hxxp://1dnscontrol[.]com/flash_install.php) downloads.”
"Moreno explains,“As soon as the victim executes the dropper, for which admin privilege is needed, a malicious DLL named infpub.dat is saved and is then run using the usual utility rundll32. Our experience executing the infpub.dat file is that it then seems to try to brute-force NTLM [NT LAN Manager] login credentials and download an executable dispci.exe, which appears to be derived from the well-known utility DiskCryptor code - a disk encryption module. The execution of the last file downloaded begins the encryption phase and the replacement of the bootloader as already seen in previous NotPetya attacks.
"According to Moreno, “Prevention is always better than cure as, if infected, it is never advisable to pay the ransom as it is not guaranteed that the criminals will honor the agreement and restore systems/data. Organizations need tools that will help them immediately identify when something ambiguous is happening within the infrastructure. Applying artificial intelligence and machine learning for real-time detection and response, organizations can monitor for malware to rapidly discover and act to remove malicious code and the risks posed before harm is done.”
"Michael Patterson, CEO of Plixer says, “Many times ransomware infections go unreported. Employees who make the mistake and click on something they shouldn’t are usually very embarrassed about the infection. Security teams need to be aware of all infections in order to grasp the scale of the intrusion. Unreported infections can often be discovered using network traffic analytics. By profiling the Bad Rabbit communication behavior other machines reaching out to the Internet with similar behaviors can be identified.”"