Tuesday, November 12, 2024
HomeRansomwareBeware : Mass Ransomware Cyber Attack with "Bad Rabbit" Ransomware Hitting Many...

Beware : Mass Ransomware Cyber Attack with “Bad Rabbit” Ransomware Hitting Many Government & Private organization

Published on

Malware protection

A New ransomware family called  “Bad Rabbit” rapidly spreading across the Eastern European countries affecting government and private agencies including Russia, Ukraine, Bulgaria,  and Turkey.

Bad Rabbit is a previously unknown ransomware family and it is distributing mostly via drive-by attacks using Adobe Flash player and no Exploit were used by this Bad Rabbit ransomware.

Drive-by Attacks cybercriminals look for insecure websites and plant a malicious script into HTTP or PHP code on one of the pages. This script may install malware directly onto the computer of someone who visits the site.

- Advertisement - SIEM as a Service

Bad Rabbit Rapidly spreading across the world same as Previously biggest Ransomware  Families Wannacry Petya, Locky outbreaks.

This ransomware dropper is distributed from fake Adobe Flash players installer “hxxp://1dnscontrol[.]com/flash_install.php” and victims are redirected to this malware web resource from legitimate news websites.

Adobe Flash Player based Malicious variant  install_flash_player.exe need to manually installed by Victim.

Kaspersky and Eset Researchers said, “Our researchers have detected a number of compromised websites, all news or media sites,” the Russian security company, now embroiled in controversy, writes on its blog. “Based on our investigation, this is a targeted attack against corporate networks, using methods similar to those used in the ExPetr attack. However, we cannot confirm it is related to ExPetr.”

Bad Rabbit also capable of scheduling talk with the name of dragon, as the malware makes reference to Daenerys Targaryen’s dragons and Grey Worm,

https://twitter.com/GossiTheDog/status/922859996609736710

Based on analysis by ESETEmsisoft, Bad Rabbit uses Mimikatz to extract credentials from the local computer’s memory, and along with a list of hard-coded credentials, it tries to use servers and workstations on the same network via SMB and WebDAV.

After installing the  install_flash_player.exe variant by victims then Finally computer will be Locked by Bad Rabbit and it will showing the following Ransom note.

Bad Rabbit Infected Machine

Later, Victims will be demanded to pay 0.05 Bitcoin to get decrypt key at the same time payment deadline time count also running in the Screen with a running timer which counting down toward an hour when the price goes up.

Bad Rabbit also can able to Encrypt the following file Extension which is presented to the victim’s computer.

.3ds .7z .accdb .ai .asm .asp .aspx .avhd .back .bak .bmp .brw .c .cab .cc .cer .cfg.conf .cpp .crt .cs .ctl .cxx .dbf .der .dib .disk .djvu .doc .docx .dwg .eml .fdb .gz .h .hdd .hpp .hxx .iso .java .jfif .jpe .jpeg .jpg .js .kdbx .key .mail .mdb .msg.nrg .odc .odf .odg .odi .odm .odp .ods .odt .ora .ost .ova .ovf .p12 .p7b .p7c .pdf.pem .pfx .php .pmf .png .ppt .pptx .ps1 .pst .pvi .py .pyc .pyw .qcow .qcow2 .rar .rtf .scm .sln .sql .tar .tib .tif .tiff .vb .vbox .vbs .vcb .vdi .vfd .vhd .vhdx .vmc .vmdk .vmsd .vmtm .vmx .vsdx .vsv .work .xls .xlsx .xml .xvd.zip

According to ESET report, Following countries, are the most infected by Bad Rabbit Ransomware.

  • Russia: 65%
  • Ukraine: 12.2%
  • Bulgaria: 10.2%
  • Turkey: 6.4%
  • Japan: 3.8%
  • Other: 2.4%

It’s interesting to note that all these big companies were all hit at the same time. It is possible that the group already had the foot inside their network and launched the watering hole attack at the same time as a decoy. ESET said.

Bad Rabbit Ransom Notes

Oops! Your files have been encrypted.

If you see this text, your files are no longer accessible.
You might have been looking for a way to recover your files.
Don't waste your time. No one will be able to recover them without our
decryption service.

We guarantee that you can recover all your files safely. All you
need to do is submit the payment and get the decryption password.

Visit our web service at caforssztxqzf2nm.onion

Your personal installation key#1:

C&C servers

  • Payment site: http://caforssztxqzf2nm[.]onion
  • Inject URL: http://185.149.120[.]3/scholargoogle/
  • Distribution URL: hxxp://1dnscontrol[.]com/flash_install.php

Embedded RSA-2048 Key:

MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5clDuVFr5sQxZ+feQlVvZcEK0k4uCSF5SkOkF9A3
tR6O/xAt89/PVhowvu2TfBTRsnBs83hcFH8hjG2V5F5DxXFoSxpTqVsR4lOm5KB2S8ap4TinG/GN/SVNBFwl
lpRhV/vRWNmKgKIdROvkHxyALuJyUuCZlIoaJ5tB0YkATEHEyRsLcntZYsdwH1P+NmXiNg2MH5lZ9bEOk7Y
TMfwVKNqtHaX0LJOyAkx4NR0DPOFLDQONW9OOhZSkRx3V7PC3Q29HHhyiKVCPJsOW1l1mNtwL7KX+7kfNe0
CefByEWfSBt1tbkvjdeP2xBnPjb3GE1GA/oGcGjrXc6wV8WKsfYQIDAQAB 

IOCs:

  • http://1dnscontrol[.]com/
  • fbbdc39af1139aebba4da004475e8839 – install_flash_player.exe
  • 1d724f95c61f1055f0d02c2154bbccd3 – C:\Windows\infpub.dat
  • b14d8faf7f0cbcfad051cefe5f39645f – C:\Windows\dispci.exe
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Amazon Confirms Employee Data Breach Via Third-party Vendor

Amazon has confirmed that sensitive employee data was exposed due to a breach at...

10 Best DNS Management Tools – 2025

Best DNS Management Tools play a crucial role in efficiently managing domain names and...

Sweet Security Announces Availability of its Cloud Native Detection & Response Platform on the AWS Marketplace

Customers can now easily integrate Sweet’s runtime detection and response platform into their AWS...

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Rise Of Ransomware-As-A-Service Leads To Decline Of Custom Tools

Ransomware-as-a-Service (RaaS) platforms have revolutionized the ransomware market.Unlike traditional standalone ransomware sales, RaaS...

A Massive Hacking Toolkit From “You Dun” Threat Group Developed To Lauch Massive Cyber Attack

The "You Dun" hacking group exploited vulnerable Zhiyuan OA software using SQL injection, leveraging...

Embargo Ransomware Actors Abuses Safe Mode To Disable Security Solutions

In July 2024, the ransomware group Embargo targeted US companies using the malicious loader...