Friday, April 19, 2024

Beware : Mass Ransomware Cyber Attack with “Bad Rabbit” Ransomware Hitting Many Government & Private organization

A New ransomware family called  “Bad Rabbit” rapidly spreading across the Eastern European countries affecting government and private agencies including Russia, Ukraine, Bulgaria,  and Turkey.

Bad Rabbit is a previously unknown ransomware family and it is distributing mostly via drive-by attacks using Adobe Flash player and no Exploit were used by this Bad Rabbit ransomware.

Drive-by Attacks cybercriminals look for insecure websites and plant a malicious script into HTTP or PHP code on one of the pages. This script may install malware directly onto the computer of someone who visits the site.

Bad Rabbit Rapidly spreading across the world same as Previously biggest Ransomware  Families Wannacry Petya, Locky outbreaks.

This ransomware dropper is distributed from fake Adobe Flash players installer “hxxp://1dnscontrol[.]com/flash_install.php” and victims are redirected to this malware web resource from legitimate news websites.

Adobe Flash Player based Malicious variant  install_flash_player.exe need to manually installed by Victim.

Kaspersky and Eset Researchers said, “Our researchers have detected a number of compromised websites, all news or media sites,” the Russian security company, now embroiled in controversy, writes on its blog. “Based on our investigation, this is a targeted attack against corporate networks, using methods similar to those used in the ExPetr attack. However, we cannot confirm it is related to ExPetr.”

Bad Rabbit also capable of scheduling talk with the name of dragon, as the malware makes reference to Daenerys Targaryen’s dragons and Grey Worm,

https://twitter.com/GossiTheDog/status/922859996609736710

Based on analysis by ESETEmsisoft, Bad Rabbit uses Mimikatz to extract credentials from the local computer’s memory, and along with a list of hard-coded credentials, it tries to use servers and workstations on the same network via SMB and WebDAV.

After installing the  install_flash_player.exe variant by victims then Finally computer will be Locked by Bad Rabbit and it will showing the following Ransom note.

Bad Rabbit Infected Machine

Later, Victims will be demanded to pay 0.05 Bitcoin to get decrypt key at the same time payment deadline time count also running in the Screen with a running timer which counting down toward an hour when the price goes up.

Bad Rabbit also can able to Encrypt the following file Extension which is presented to the victim’s computer.

.3ds .7z .accdb .ai .asm .asp .aspx .avhd .back .bak .bmp .brw .c .cab .cc .cer .cfg.conf .cpp .crt .cs .ctl .cxx .dbf .der .dib .disk .djvu .doc .docx .dwg .eml .fdb .gz .h .hdd .hpp .hxx .iso .java .jfif .jpe .jpeg .jpg .js .kdbx .key .mail .mdb .msg.nrg .odc .odf .odg .odi .odm .odp .ods .odt .ora .ost .ova .ovf .p12 .p7b .p7c .pdf.pem .pfx .php .pmf .png .ppt .pptx .ps1 .pst .pvi .py .pyc .pyw .qcow .qcow2 .rar .rtf .scm .sln .sql .tar .tib .tif .tiff .vb .vbox .vbs .vcb .vdi .vfd .vhd .vhdx .vmc .vmdk .vmsd .vmtm .vmx .vsdx .vsv .work .xls .xlsx .xml .xvd.zip

According to ESET report, Following countries, are the most infected by Bad Rabbit Ransomware.

  • Russia: 65%
  • Ukraine: 12.2%
  • Bulgaria: 10.2%
  • Turkey: 6.4%
  • Japan: 3.8%
  • Other: 2.4%

It’s interesting to note that all these big companies were all hit at the same time. It is possible that the group already had the foot inside their network and launched the watering hole attack at the same time as a decoy. ESET said.

Bad Rabbit Ransom Notes

Oops! Your files have been encrypted.

If you see this text, your files are no longer accessible.
You might have been looking for a way to recover your files.
Don't waste your time. No one will be able to recover them without our
decryption service.

We guarantee that you can recover all your files safely. All you
need to do is submit the payment and get the decryption password.

Visit our web service at caforssztxqzf2nm.onion

Your personal installation key#1:

C&C servers

  • Payment site: http://caforssztxqzf2nm[.]onion
  • Inject URL: http://185.149.120[.]3/scholargoogle/
  • Distribution URL: hxxp://1dnscontrol[.]com/flash_install.php

Embedded RSA-2048 Key:

MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5clDuVFr5sQxZ+feQlVvZcEK0k4uCSF5SkOkF9A3
tR6O/xAt89/PVhowvu2TfBTRsnBs83hcFH8hjG2V5F5DxXFoSxpTqVsR4lOm5KB2S8ap4TinG/GN/SVNBFwl
lpRhV/vRWNmKgKIdROvkHxyALuJyUuCZlIoaJ5tB0YkATEHEyRsLcntZYsdwH1P+NmXiNg2MH5lZ9bEOk7Y
TMfwVKNqtHaX0LJOyAkx4NR0DPOFLDQONW9OOhZSkRx3V7PC3Q29HHhyiKVCPJsOW1l1mNtwL7KX+7kfNe0
CefByEWfSBt1tbkvjdeP2xBnPjb3GE1GA/oGcGjrXc6wV8WKsfYQIDAQAB 

IOCs:

  • http://1dnscontrol[.]com/
  • fbbdc39af1139aebba4da004475e8839 – install_flash_player.exe
  • 1d724f95c61f1055f0d02c2154bbccd3 – C:\Windows\infpub.dat
  • b14d8faf7f0cbcfad051cefe5f39645f – C:\Windows\dispci.exe
Website

Latest articles

Alert! Windows LPE Zero-day Exploit Advertised on Hacker Forums

A new zero-day Local Privilege Escalation (LPE) exploit has been put up for sale...

Palo Alto ZeroDay Exploited in The Wild Following PoC Release

Palo Alto Networks has disclosed a critical vulnerability within its PAN-OS operating system, identified...

FIN7 Hackers Attacking IT Employees Of Automotive Industry

IT employees in the automotive industry are often targeted by hackers because they have...

Russian APT44 – The Most Notorious Cyber Sabotage Group Globally

As Russia's invasion of Ukraine enters its third year, the formidable Sandworm (aka FROZENBARENTS,...

SoumniBot Exploiting Android Manifest Flaws to Evade Detection

A new banker, SoumniBot, has recently been identified. It targets Korean users and is...

LeSlipFrancais Data Breach: Customers’ Personal Information Exposed

LeSlipFrancais, the renowned French underwear brand, has confirmed a data breach impacting its customer...

Cisco Hypershield: AI-Powered Hyper-Distributed Security for Data Center

Cisco has unveiled its latest innovation, Cisco Hypershield, marking a milestone in cybersecurity.This groundbreaking...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

WAAP/WAF ROI Analysis

Mastering WAAP/WAF ROI Analysis

As the importance of compliance and safeguarding critical websites and APIs grows, Web Application and API Protection (WAAP) solutions play an integral role.
Key takeaways include:

  • Pricing models
  • Cost Estimation
  • ROI Calculation

Related Articles