A new ransomware worm named "Bad Rabbit" began spreading across the
world Last Tuesday (Oct. 24), and it appeared to be a much-modified version
of the NotPetya worm that hit eastern Europe in June.
This ransomware attack is most likely hitting computers in Russia and Ukraine, bearing similarities to the NotPetya outbreak that caused billions of pounds of damage in June.
The self-titled “Bad Rabbit” malware encrypts data on infected machines before demanding a payment of 0.05 bitcoin (£250) for the decryption key. The ransom demand is phrased similarly to that of June’s outbreak, and researchers at Russian security firm Kaspersky say that the malware uses “methods similar to those used” during the NotPetya attack.
Briefly about yesterday's events :
- The initial infection was due to compromised websites and a fake update to Flash Player, which required user interaction to activate and continue exploitation (the user had to confirm the agreement to install the update);
- Distribution on the local network was done by scanning the internal network for open SMB-open access files, as well as an attempt to use the HTTP-based WebDAV protocol based on HTTP and allowing the use of the Web as a resource for reading and writing;
- Mimikatz was used to extract user credentials from the memory of an infected PC;
- Legitimate DiskCryptor software used to encrypt files;
- Types of file extensions that were encrypted on a user's PC:
.3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der .dib.disk.djvu.doc.docx.dwg.eml.fdb
.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods .odt.ora.ost.ova.ovf.p12.p7b.p7c
.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif .tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd
.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.
Original Name
|
256hash
|
Description
|
install_flash_player.exe
|
630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da de5c8d858e6e41da715dca1c019df0bfb92d32c0–
SHA1 |
Dropper
|
infpub.dat
|
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648 79116fe99f2b421c52ef64097f0f39b815b20907 –
SHA1 |
DLL payload
|
cscc.dat
|
0b2f863f4119dc88a22cc97c0a136c88a0127cb026751303b045f7322a8972f6 |
DiskCryptor Driver (x64)
|
dispci.exe
|
8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93 afeee8b4acff87bc469a6f0364a81ae5d60a2add-SHA1 |
DiskCryptor Client
|
xxxx.tmp
|
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c 16605a4a29a101208457c47ebfde788487be788d –
SHA1 |
Mimikatz (x64)
|
xxxx.tmp
|
2f8c54f9fa8e47596a3beff0031f85360e56840c77f71c6a573ace6f46412035 413eba3973a15c1a6429d9f170f3e8287f98c21c
-SHA1 |
Mimikatz (x32)
|
cscc.dat
|
8d63e37aa74ca33a926bec7c7aa8fda0f764ffbb20e8f64bb9c3999b5975f9a6 |
cscc.dat
|
page-main.js
|
4f61e154230a64902ae035434690bf2b96b4e018 |
JS/Agent.NWC
|
Ransomware
|
8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93 |
Ransomware
|
DiskCryptor driver x86
|
682adcb55fe4649f7b22505a54a9dbc454b4090fc2bb84af7db5b0908f3b7806 |
DiskCryptor driver x86
|
Invoice_file_06565.doc
|
7217fae6f3634cde7d54eba3858e8958eb1e5e85e2c36d968818cdce75a3fae9 |
Invoice_file_06565.doc
|
C&C servers
Payment site: http://caforssztxqzf2nm[.]onion
Inject URL: http://185.149.120[.]3/scholargoogle/
Distribution URL: hxxp://1dnscontrol[.]com/flash_install.php
Scheduled Tasks names:
In Taskschd.msc, look for and remove these tasks- viserion_
- rhaegal
- drogon
List of compromised web sites
URL
|
185.149.120.3/scholargoogle/
|
1dnscontrol.com/flash_install.php
|
caforssztxqzf2nm.onion
|
argumentiru.com
|
www.fontanka.ru
|
grupovo.bg
|
www.sinematurk.com
|
www.aica.co.jp
|
spbvoditel.ru
|
argumenti.ru
|
www.mediaport.ua
|
blog.fontanka.ru
|
an-crimea.ru
|
www.t.ks.ua
|
most-dnepr.info
|
osvitaportal.com.ua
|
www.otbrana.com
|
calendar.fontanka.ru
|
www.grupovo.bg
|
www.pensionhotel.cz
|
www.online812.ru
|
www.imer.ro
|
novayagazeta.spb.ru
|
i24.com.ua
|
bg.pensionhotel.com
|
ankerch-crimea.ru
|
x90.im
|
myk104.com
|
montenegro-today.com
|
otbrana.com
|
hercegnovi.me
|
bahmut.com.ua
|
ucarsoft.com
|
pensionhotel.de
|
tweetlerim.gen.tr
|
sarktur.com
|
Distribution Paths:
- /flash_install.php
- /index.php
Intermediary Server:
- 185.149.120[.]3
Hidden service:
- caforssztxqzf2nm[.]onion
|