Woody Leonhard's no-bull news, tips and help for Windows, Office and more… Please disable your ad blocker – our (polite!) ads help keep AskWoody going!
Home icon Home icon Home icon Email icon RSS icon
  • Breaking: New ransomware BadRabbit moving quickly through Russia, Ukraine

    Posted on October 24th, 2017 at 10:22 woody Comment on the AskWoody Lounge

    Looks like the initial infection vector is a fake Flash update.

    Will keep you updated, but watch Catalin Cimpanu on Bleepingcomputer and Kevin Beaumont on Twitter (@GossiTheDog aka Beaumont Porg, Esq) for reliable info.

    Steve Ragan has multiple details in CSO.

    What should you do? Don’t sweat it. Make sure you have MS17-010 installed. As long as you aren’t connected to a corporate network (where the WinDAV infection vector may come into play), you’re fine. If you’re worried about getting stung on a corporate network, there’s a detailed step-by-step vaccination description on Cybereason which involves creating two files, infpub.dat and cscc.dat, and blocking access to them (turning off “inherited permissions”).

    Idle thought: I wonder if the Win10 FCU ransomware blocker “Controlled folder access” effectively blocks Bad Rabbit? No, I’m not going to try it.

    UPDATES:

    Bleepingcomputer post is up.

    Welivesecurity: Several transportation organizations in Ukraine and as well as some governmental organizations have suffered a cyberattack, resulting in some computers becoming encrypted, according to media reports. Public sources have confirmed that computer systems in the Kiev Metro, Odessa airport, Ukrainian ministries of infrastructure and finance, and also a number of organizations in Russia are affected… ESET discovered that in the case of the Kiev Metro, the malware used for the cyberattack was Diskcoder.D, — a new variant of ransomware known also as Petya. The previous variant of Diskcoder was used in a damaging cyberattack on a global scale in June, 2017.

    Pic of the ransomware screen (c/o Jiri Kropac, @jiriatvirlab)

    Windows Defender catches it.

    Beaumont: #BadRabbit uses a legit, signed program called DiskCryptor to lock out the victim hard drive… It’s actually a neat way of doing it as the kernel drivers are co-signed by Microsoft’s driver signing program… #BadRabbit (also) has hard coded credentials in it, for whatever reason. Overwrites MBR, Petya style… Shoutouts to Kaspersky and ESET over #BadRabbit – both had detection before I even knew about it, and were well under way investigating… Good job USG [US government] is removing Kaspersky btw, otherwise they could be protected right now… spreads (also) via WebDAV internatlly – this is new for a worm… It scheduled shuts down PC (a la Petya) never to return, which limits spread. Somehow they got this across companies quickly.

    @VessOnSecurity: My SMB honeypot isn’t seeing anything unusual. Either #badrabbit is very targeted or it’s only a LAN worm, like (not)Petya.

    @fwosar: #BadRabbit contains lateral movement based on own SMB implementation… appears to be using our good buddy EternalBlue!

    @jaytezer: #badrabbit found to have 13% code reuse of #notpetya #petya  here’s a public report with the unpacked sample: https://t.co/NOIul4yLVT

    Avast: #BadRabbit now detected in the U.S. We expect a growing number of detections in the hours ahead. Spreading thru SMB (which means MS17-010 should stop it).

    @campuscodi Kaspersky researcher has successfully decrypted files locked by #BadRabbit, meaning the ransomware works as expected, unlike NotPetya. (NotPetya was a wiper, looks like #BadRabbit is a for-real encryptor)

    BitDefender analysis is up.

    Andy Greenberg at Wired says Kaspersky has “found strong evidence” that BadRabbit is from the same folks who brought us NotPetya.

    If that helped, take a second to support AskWoody on Patreon

    Home Forums Breaking: New ransomware BadRabbit moving quickly through Russia

    Tagged: 

    This topic contains 34 replies, has 14 voices, and was last updated by  Seff 2 months, 3 weeks ago.

    • Author
      Posts
    • #140421 Reply

      woody
      Da Boss

      Looks like the initial infection vector is a fake Flash update. Will keep you updated, but watch Catalin Cimpanu on Bleepingcomputer and Kevin Beaumon
      [See the full post at: Breaking: New ransomware BadRabbit moving quickly through Russia]

      3 users thanked author for this post.
    • #140431 Reply

      anonymous

      What, the attacker expects you to type in that mess/key? I think most users would be hard pressed to type that even if they wanted to fund the attackers.

    • #140436 Reply

      MrBrian
      AskWoody MVP
      • #140522 Reply

        anonymous

        I have read that it is suggested to turn off the WMI service to help protect against this attack.

        Is that recommended here?

        It also causes me to think is there an area on this site that has instructions of which service/s is to be active/disabled? to make the o/s as tight as possible.

        Novice user, Win 8.1

        • #140574 Reply

          woody
          Da Boss

          If you’re attached to a corporate network that may be compromised, then turning off the WMI service may help.

          For most people, it isn’t necessary.

          2 users thanked author for this post.
    • #140514 Reply

      TheSuffering
      AskWoody Lounger

      So if windows defender detects it that means its the same for MSE right?

      1 user thanked author for this post.
    • #140562 Reply

      Carl D
      AskWoody Lounger

      This ransomware business is getting totally out of hand these days.

      Unfortunately, many people will continue to be targets for this because they seem to have the attitude that “it will never happen to me” or they’re just blissfully unaware of the danger.

      I consider myself to be ‘immune’ because I have 2 solid state drives in my PC tower – the first one has Windows and the second is a ‘data’ drive with pictures, videos, Windows Macrium images, etc.

      In addition, I always keep several Macrium images of the Windows drive on a separate external USB hard drive (which is powered off when not in use) and I have an extra SSD which is an exact duplicate of my data drive and it is updated weekly. I also have another spare SSD which can be used to swap out the Windows SSD if needed.

      Plus, all of my data is backed up on another external USB hard drive which is also powered off when not in use. And, everything is also on my trusty 11 year old HP laptop which is still running perfectly (especially after putting an SSD in it a couple of years ago).

      If I’m hit by ransomware, it is just a matter of swapping out the 2 SSD’s in the PC tower and restoring a Macrium image of the Windows drive. The laptop is also backed up regularly with Macrium.

      2 users thanked author for this post.
      • #140591 Reply

        GoneToPlaid
        AskWoody Lounger

        The upshot of your very good comment is that all computer users should be backing up their computers on a regular schedule — and without fail. Hard drives fail over time. A computer can get infected with malware. A computer power supply can fail in an unforeseen way which takes out the computer’s motherboard and/or other components. A CPU fan can fail, such that the CPU gets too hot and either burns up or causes data corruption. Chipsets can fail, due to overheating, resulting in I/O data corruptions. These are just some possibilities. Yet most people do not appreciate the importance of backing up their computers and data on a regular basis until it is too late.

        I too use Macrium to back up all of my computers. I will never use Acronis ever again, yet that is a different story. And like you, not only do I keep all of my data on separate partitions, but I also keep two offline backups of my data.

        I installed removable HDD bays on all of my computers so that I can insert a SATA drive, perform my backup really fast in comparison to USB2 or USB3 methods, and then remove the backup drive when I am done. Offline backups of course can not become infected.

        4 users thanked author for this post.
        • #140767 Reply

          wdburt1
          AskWoody Lounger

          I abandoned Acronis for their failure to fix a longstanding bug that prevented Windows from shutting down, and I use Macrium Reflect for daily and monthly images.  Its simplicity and unpretentiousness make me a loyal user.

          I read that the “expert” view is that three backups are required: desktop (for convenience), hidden away onsite, and offsite.  Not a bad idea.

           

          • This reply was modified 2 months, 3 weeks ago by  wdburt1.
        • #140857 Reply

          Seff
          AskWoody Lounger

          The advice to run regular backups is generally good advice for many users, but bear in mind that not everyone uses their computer(s) for the same purpose or needs a total backup. In my own case, for example, there is nothing on either of my two desktops that I could not afford to lose although a few things like emails and the odd photo or other document are routinely kept on both machines anyway (with emails and attachments also kept on webmail) so they can always be accessed if one machine fails or is compromised. I never install updates or make other changes to both machines at the same time, and they are not connected. They are used primarily for gaming and all saved data is either kept server-side by the game developer or else is backed up on the Cloud by a gaming platform such as Steam.

          Losing my hard drive’s contents to either a ransomware attack or a hard drive failure would therefore be an inconvenience but not a problem, no different say to when I buy a new drive or computer. I have very simple systems with all that I need reinstalled very quickly. For other users it can be very different, of course, especially when they are using their computers for their work (as I did before I retired). It is important, however, that people also recognise that backups don’t always work and shouldn’t be totally relied on.

          I’m not complacent by any means, but equally I am not paranoid either. I take sensible precautions and beyond that I find it pays to be philosophical these days!

          • This reply was modified 2 months, 3 weeks ago by  Seff.
    • #140561 Reply

      anonymous

      I got a 18 MB Windows Defender download today.  Most WD downloads I get are a megabyte or less.  I don’t know if this is related to the topic or not.

      • #140665 Reply

        anonymous

        I don’t know exactly about Windows Defender (I use Microsoft Security Essentials on Win7) but I support the belief (elsewhere in this topic) that WD and MSE probably share the same definitions (at least, the mpam-fe.exe downloaded current-state definition files have always been identical, in my occasional checks).

        I noticed that yesterday (24 October) MSE’s definition file numbers started a new sequence; was 1.253.xxxx.0, now 1.255.xx.0.  I imagine (no more) that a large-ish definition download yesterday may simply have been related to that change.

    • #140576 Reply

      GoneToPlaid
      AskWoody Lounger

      I like Cybereason’s simple method for preventing infections by BadRabbit. See:

      https://www.cybereason.com/blog/cybereason-researcher-discovers-vaccine-for-badrabbit-ransomware

      In a temporary folder I simply created two zero length text files named cscc.txt and infpub.txt, set them to read only, renamed them to .dat, and then copied these the two .dat files into my Windows folder. Then I followed the above article’s instructions for removing all permissions for these two new .dat files which I placed in my Windows folder. This will supposedly stop BadRabbit dead in its tracks.

      1 user thanked author for this post.
      • #140583 Reply

        anonymous

        Does it matter if you set the files to read only and rename them after you move them?

        • #140604 Reply

          anonymous

          You have to rename them first and then set read-only attribute, but after denying permissions from files it will block them from being read by any normal means. So the redundancy of setting the read only attribute is not bad, just extra work.

    • #140624 Reply

      liamZ
      AskWoody Lounger

      What about this?

      @echo off
      if exist %systemroot%\cscc.dat (echo ERROR, FILE EXISTS & pause & exit)
      if exist %systemroot%\infpub.dat (echo ERROR, FILE EXISTS & pause & exit)
      type nul > %systemroot%\infpub.dat && attrib +R %systemroot%\infpub.dat && icacls %systemroot%\infpub.dat /inheritance:r
      type nul > %systemroot%\cscc.dat && attrib +R %systemroot%\cscc.dat && icacls %systemroot%\cscc.dat /inheritance:r
      pause
      exit

      • This reply was modified 2 months, 3 weeks ago by  liamZ.
      2 users thanked author for this post.
      • #140649 Reply

        Noel Carboni
        AskWoody MVP

        As long as run from an elevated CMD prompt, that script does what’s described in the cyberreason.com article for creating two files that should hinder the infection.

        Adding the ReadOnly attribute is extraneous, though. That’s just a flag that well-behaved applications agree to honor; the ACL-based file permissions being completely removed is what actually blocks access at the file system level.

        Remember that creating files on your system that nothing can access due to permission denial could cause unexpected issues – such as error messages when making backups – in the future. There probably won’t be any real problems, but just remember that you’ve created these files on purpose if you see things go wrong in the future.

        I might choose to echo some friendly reminder message into the files myself, so that if I find myself trying to remember why they’re there… 🙂

        -Noel

        1 user thanked author for this post.
        • #140683 Reply

          Bob99
          AskWoody Lounger

          …Remember that creating files on your system that nothing can access due to permission denial could cause unexpected issues – such as error messages when making backups – in the future. There probably won’t be any real problems, but just remember that you’ve created these files on purpose if you see things go wrong in the future. … -Noel

          However, having removed ALL permissions from the files, if you do have issues either upon reboot or in the future sometime and wish to delete the files because the threat may have loooong since passed, wouldn’t you be unable to do so because of having removed even the system level permissions?

          Just something to think about before proceeding with the permission change to the files.

          • #140713 Reply

            Noel Carboni
            AskWoody MVP

            However, having removed ALL permissions from the files, if you do have issues either upon reboot or in the future sometime and wish to delete the files because the threat may have loooong since passed, wouldn’t you be unable to do so because of having removed even the system level permissions?

            No. If you own the file you can add the permissions back in.

            -Noel

            1 user thanked author for this post.
            • #140724 Reply

              Bob99
              AskWoody Lounger

              D’OH!! Forgot about the ownership aspect!!  :-[  :-[  Nice catch!!

    • #140656 Reply

      anonymous

      Does not allowing Flash on one’s PC not also protect it?

      • #140671 Reply

        Noel Carboni
        AskWoody MVP

        Does not allowing Flash on one’s PC not also protect it?

        I don’t see it written anywhere that Flash is necessary at all to get the fake Flash update messages.

        A web page can put up any information it wants. In this case it appears such web pages make it look as though a Flash update is available and request that you press a button and allow the launch a downloaded executable. To a degree, THAT part involves social engineering, since users have to be duped into doing something they might not normally allow.

        However, it seems pretty clear that this isn’t the only way this ransomware spreads.

        If you want to harden your system so that it is less apt to be exposed to malware, I suggest the following:

        1. Review your browser settings and make SURE it’s not possible for any software (e.g., add-ons, downloaded files, etc.) to run without prompting, then of course be VERY wary about allowing ANYTHING to run. For most browsers you can choose to give up some of the “integrated glitz” features in return for additional security. Be aware that there ARE reasonable compromises that serve to keep your system secure yet allow you to see the content. Lastly, understand that you really don’t need browser Add-ons to browse the web.

        2. Though I advise in general against add-ons, consider adding a well-established blacklisting add-on, UBlock, to your browser so as to have it avoid visiting sites known to harbor malware. Such products run from managed lists that are continuously updated. Not allowing your system to visit those sites goes a long way toward never being exposed to malware, yet as with item 1 there are good compromises where you can see the content but the malware and ads are blocked.

        UBlock

        -Noel

        Attachments:
        You must be logged in to view attached files.
        2 users thanked author for this post.
    • #140667 Reply

      Microfix
      AskWoody Lounger

      More info on VirusTotal

      | 1xPC W8.1 Pro x64 Ivybridge| | 1xPC Linux Hybrid x64 Ivybridge| | 1xPC W7 Pro x32 C2D Test Rig| | 1xPC W7 Pro x64 Haswell|
        No problem can be solved from the same level of consciousness that created IT - AE
      2 users thanked author for this post.
      • #140674 Reply

        GoneToPlaid
        AskWoody Lounger

        It looks like nearly all of the major AV vendors detect it. That is reassuring.

    • #140675 Reply

      liamZ
      AskWoody Lounger

      . I might choose to echo some friendly reminder message into the files myself, so that if I find myself trying to remember why they’re there… -Noel

      Agree, that’s what I did on my system.

      Anyway, maybe I’m wrong, but I think once your antivirus is updated to block the malware there’s no need for those files anymore.

      • This reply was modified 2 months, 3 weeks ago by  liamZ.
    • #140697 Reply

      KarenS
      AskWoody Lounger

      Pardon my ignorance but I am soooo confused and reading Woody’s articles are confusing me even more!! My PC uses Windows 7 Home premium 64 bit and I am in Group A, have been since the rollups started. I have almost every update (except the ones I have been told to avoid by the experts here) every month except for this month as we are still under Defcon 2.

      In Woody’s article (on AskWoody) it says to make sure to have MS17-010 (KB4013389) installed which says it was published on March 14, 2017. I did a  search for that KB # on my PC but it was not found. So I clicked on the link in the article that took me to Woody’s Computer World article which states: “If you have any of those patches already installed, then you are good to go and you can sleep well at night. There’s no reason to download or install anything, unless you have absolutely none of those patches.”

      Then it lists these updates for Windows 7:”

      • 2017-05 Security Monthly Quality Rollup for Windows 7 (KB4019264)
      • April, 2017 Preview of Monthly Quality Rollup for Windows 7 (KB4015552)
      • April, 2017 Security Monthly Quality Rollup for Windows 7 (KB4015549)
      • March, 2017 Security Monthly Quality Rollup for Windows 7 (KB4012215)
      • March, 2017 Security Only Quality Update for Windows 7 (KB4012212)

      I checked my PC for all those KB #’s and found NONE installed……I DON’T understand. Are those updates for people in Group A or for those in Group B who are installing Security ONLY updates? Or are those updates included in the Rollup updates that I do every month and already have installed? I know for a fact that I have installed all the Monthly Rollups except for October so I and confused as to why I am missing so many of the updates???? Can someone please clarify or help me with this situation PLEASE!!!

      • #140701 Reply

        PKCano
        AskWoody MVP

        The March, 2017 Security Only Quality Update for Windows 7 (KB4012212)  is a Group B patch that has to be downloaded and manually installed – you should not have that one.

        The April, 2017 Preview of Monthly Quality Rollup for Windows 7 (KB4015552) is an UNCHECKED optional patch and does not get installed through the important updates in Windows Update – you should not have that one.

        Anything labeled “Security Monthly Quality Rollup for Windows 7” is a CUMULATIVE Rollup that is installed as an CHECKED important update when you run Windows Update. Since they are CUMULATIVE, the latest one contains everything that was in any of the earlier ones.

        So if you have the September 2017-09 Security Monthly Quality Rollup for Windows 7 (KB4038777) or the August 2017-08 Security Monthly Quality Rollup for Windows 7 (KB4034664), then you also have the patches from the March, April, and May Rollups.

        Check to see if you have either August or September patch.

        2 users thanked author for this post.
        • #140706 Reply

          KarenS
          AskWoody Lounger

          PKCano thanks again for being right there to help with my confusion and answer my questions, it is always appreciated.

          I did check and I do have the September 2017-09 Security Monthly Quality Rollup for Windows 7 (KB4038777) installed on my PC but not the August 2017-08 Security Monthly Quality Rollup for Windows 7 (KB4034664). So if I have the one I don’t need to do anything else to be protected?

          • #140707 Reply

            PKCano
            AskWoody MVP

            If you have Sept installed, you have everything in the Rollups before installed.
            You should be good.

            1 user thanked author for this post.
            • #140710 Reply

              KarenS
              AskWoody Lounger

              I am no longer confused or concerned…….Thank you!

            • #140718 Reply

              Noel Carboni
              AskWoody MVP

              I understand your point of view, but I would suggest never stopping being concerned.

              Good security starts with you and your computing habits. Try not to get a false sense of it nor to oversimplify the problem because you expect your antivirus solution handles everything. If it were true that it was infallible there would be no malware out there, and we know that’s not the case.

              I recommend you keep your awareness up and don’t just “click through” any Flash update screens (or any other unexpected requests to run something) that you see presented to you, even though you feel your antivirus software should block infections.

              -Noel

              1 user thanked author for this post.
            • #140735 Reply

              KarenS
              AskWoody Lounger

              Oh have no fear I am always on alert, that is why I visit this site multiple times a day and take any advice and instructions that I can get with appreciation. When I got my first computer in 2010 and being uneducated in anything to do with them I innocently clicked on what I thought was a Firefox update and was immediately infected with a virus. Believe me when I tell you that I learned my lesson and I don’t click on anything that pops up. I use and adblock and a NoScript, I scan with both Microsoft Essentials and Malewarebytes regularly and keep my PC up to date with regard to Windows updates with the help of all the experts here. I know that even doing those things a virus or malware could get through at any time.

              1 user thanked author for this post.
    • #140736 Reply

      Bob99
      AskWoody Lounger

      Woody wrote: “… I wonder if the Win10 FCU ransomware blocker “Controlled folder access” effectively blocks Bad Rabbit?”

      Personally, I think this would be a great “acid test” of sorts for that feature!! However, it would probably get caught by the real time protection feature of Windows Defender and its’ definition database before activating the folder access feature, since there are reports of Defender successfully catching the rabbit!

      • This reply was modified 2 months, 3 weeks ago by  Bob99.
      • #140757 Reply

        anonymous

        Sounds like a test that a good QA team could do with in house disposable/recyclable hardware. Instead of foisting such a project onto unpaid testers lacking a cross checking infrastructure to verify all findings. Just an idea.

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Breaking: New ransomware BadRabbit moving quickly through Russia

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.

    Your information: