Categories: Ransomware

Beware : Mass Ransomware Cyber Attack with “Bad Rabbit” Ransomware Hitting Many Government & Private organization

A New ransomware family called  “Bad Rabbit” rapidly spreading across the Eastern European countries affecting government and private agencies including Russia, Ukraine, Bulgaria,  and Turkey.

Bad Rabbit is a previously unknown ransomware family and it is distributing mostly via drive-by attacks using Adobe Flash player and no Exploit were used by this Bad Rabbit ransomware.

Drive-by Attacks cybercriminals look for insecure websites and plant a malicious script into HTTP or PHP code on one of the pages. This script may install malware directly onto the computer of someone who visits the site.

Bad Rabbit Rapidly spreading across the world same as Previously biggest Ransomware  Families Wannacry Petya, Locky outbreaks.

This ransomware dropper is distributed from fake Adobe Flash players installer “hxxp://1dnscontrol[.]com/flash_install.php” and victims are redirected to this malware web resource from legitimate news websites.

Adobe Flash Player based Malicious variant  install_flash_player.exe need to manually installed by Victim.

Kaspersky and Eset Researchers said, “Our researchers have detected a number of compromised websites, all news or media sites,” the Russian security company, now embroiled in controversy, writes on its blog. “Based on our investigation, this is a targeted attack against corporate networks, using methods similar to those used in the ExPetr attack. However, we cannot confirm it is related to ExPetr.”

Bad Rabbit also capable of scheduling talk with the name of dragon, as the malware makes reference to Daenerys Targaryen’s dragons and Grey Worm,

Based on analysis by ESETEmsisoft, Bad Rabbit uses Mimikatz to extract credentials from the local computer’s memory, and along with a list of hard-coded credentials, it tries to use servers and workstations on the same network via SMB and WebDAV.

After installing the  install_flash_player.exe variant by victims then Finally computer will be Locked by Bad Rabbit and it will showing the following Ransom note.

Bad Rabbit Infected Machine

Later, Victims will be demanded to pay 0.05 Bitcoin to get decrypt key at the same time payment deadline time count also running in the Screen with a running timer which counting down toward an hour when the price goes up.

Bad Rabbit also can able to Encrypt the following file Extension which is presented to the victim’s computer.

.3ds .7z .accdb .ai .asm .asp .aspx .avhd .back .bak .bmp .brw .c .cab .cc .cer .cfg.conf .cpp .crt .cs .ctl .cxx .dbf .der .dib .disk .djvu .doc .docx .dwg .eml .fdb .gz .h .hdd .hpp .hxx .iso .java .jfif .jpe .jpeg .jpg .js .kdbx .key .mail .mdb .msg.nrg .odc .odf .odg .odi .odm .odp .ods .odt .ora .ost .ova .ovf .p12 .p7b .p7c .pdf.pem .pfx .php .pmf .png .ppt .pptx .ps1 .pst .pvi .py .pyc .pyw .qcow .qcow2 .rar .rtf .scm .sln .sql .tar .tib .tif .tiff .vb .vbox .vbs .vcb .vdi .vfd .vhd .vhdx .vmc .vmdk .vmsd .vmtm .vmx .vsdx .vsv .work .xls .xlsx .xml .xvd.zip

According to ESET report, Following countries, are the most infected by Bad Rabbit Ransomware.

  • Russia: 65%
  • Ukraine: 12.2%
  • Bulgaria: 10.2%
  • Turkey: 6.4%
  • Japan: 3.8%
  • Other: 2.4%

It’s interesting to note that all these big companies were all hit at the same time. It is possible that the group already had the foot inside their network and launched the watering hole attack at the same time as a decoy. ESET said.

Bad Rabbit Ransom Notes

Oops! Your files have been encrypted.

If you see this text, your files are no longer accessible.
You might have been looking for a way to recover your files.
Don't waste your time. No one will be able to recover them without our
decryption service.

We guarantee that you can recover all your files safely. All you
need to do is submit the payment and get the decryption password.

Visit our web service at caforssztxqzf2nm.onion

Your personal installation key#1:

C&C servers

  • Payment site: http://caforssztxqzf2nm[.]onion
  • Inject URL: http://185.149.120[.]3/scholargoogle/
  • Distribution URL: hxxp://1dnscontrol[.]com/flash_install.php

Embedded RSA-2048 Key:

MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5clDuVFr5sQxZ+feQlVvZcEK0k4uCSF5SkOkF9A3
tR6O/xAt89/PVhowvu2TfBTRsnBs83hcFH8hjG2V5F5DxXFoSxpTqVsR4lOm5KB2S8ap4TinG/GN/SVNBFwl
lpRhV/vRWNmKgKIdROvkHxyALuJyUuCZlIoaJ5tB0YkATEHEyRsLcntZYsdwH1P+NmXiNg2MH5lZ9bEOk7Y
TMfwVKNqtHaX0LJOyAkx4NR0DPOFLDQONW9OOhZSkRx3V7PC3Q29HHhyiKVCPJsOW1l1mNtwL7KX+7kfNe0
CefByEWfSBt1tbkvjdeP2xBnPjb3GE1GA/oGcGjrXc6wV8WKsfYQIDAQAB 

IOCs:

  • http://1dnscontrol[.]com/
  • fbbdc39af1139aebba4da004475e8839 – install_flash_player.exe
  • 1d724f95c61f1055f0d02c2154bbccd3 – C:\Windows\infpub.dat
  • b14d8faf7f0cbcfad051cefe5f39645f – C:\Windows\dispci.exe
Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

Threat Actors Exploit Google Docs And Weebly Services For Malware Attacks

Phishing attackers used Google Docs to deliver malicious links, bypassing security measures and redirecting victims…

3 hours ago

Python NodeStealer: Targeting Facebook Business Accounts to Harvest Login Credentials

The Python-based NodeStealer, a sophisticated info-stealer, has evolved to target new information and employ advanced…

3 hours ago

XSS Vulnerability in Bing.com Let Attackers Send Crafted Malicious Requests

A significant XSS vulnerability was recently uncovered in Microsoft’s Bing.com, potentially allowing attackers to execute…

6 hours ago

Meta Removed 2 Million Account Linked to Malicious Activities

 Meta has announced the removal of over 2 million accounts connected to malicious activities, including…

9 hours ago

Veritas Enterprise Vault Vulnerabilities Lets Attackers Execute Arbitrary Code Remotely

Critical security vulnerability has been identified in Veritas Enterprise Vault, a widely-used archiving and content…

10 hours ago

7-Zip RCE Vulnerability Let Attackers Execute Remote Code

A critical security vulnerability has been disclosed in the popular file archiving tool 7-Zip, allowing…

10 hours ago