Bad Rabbit showed: ransomware encrypts backup data
On Tuesday, October 24, 2017, the Bad Rabbit ransomware attacked Russia, Ukraine, Turkey, Germany, Bulgaria, the United States, and Japan. At the same time, Russia and Ukraine suffered the most, as its distribution began on hacked Russian news sites. The first victims were the Russian agencies Interfax and Fontanka, as well as Ukrainian transport organizations, including Odessa Airport, Kiev Metro and the Ministry of Infrastructure and several other organizations.
Our research has shown that Bad Rabbit is based on the redesigned NonPetya and exPetr code, which is also indicated by its behavior model and the ultimate goal of the attacks. At the same time, we noticed that it includes elements of other ransomware programs , for example, the approaches used in the development of the HDDCryptor ransomware. However, at the same time, the people behind Bad Rabbit corrected some errors and brought all of the above elements together, getting a very interesting result. In addition, they used a fake Symantec security certificate for their code. Another characteristic feature of Bad Rabbit is the ability to collect user passwords on infected computers and download additional malicious modules.
The encryptor in question does not use fundamentally new tricks when attacking and infecting, but rather, on the contrary, it relies on a very old trick that involves users installing a fake Adobe Flash update. Surprisingly, this approach still works, clearly showing the low awareness of companies and consumers in matters of cybersecurity and the danger lurking behind ransomware programs. Until users take this threat seriously and take the necessary security measures, the risks of losing access to their data remain very high.
Bad Rabbit Key Facts
- Uses NonPetya / ExPetr Code Elements
- Distributed under the guise of an update for Adobe Flash that requires manual installation
- It uses a legitimate driver for encryption
- It makes attempts to spread over the local network in a rather primitive way, but can also use the SMB EternalRomance vulnerability.
- Replaces the master boot record of the hard drive and renders the computer unusable
- Legitimate driver is not always stable on Windows 10, system crash is possible
- Mostly affected corporate Windows users
Scheme of infection and technical characteristics
To launch an attack, cybercriminals hacked several sites of popular media and posted a script on them with a link to a fake Adobe Flash installer, which asked users to start the update when they visited the site. Many users fell for this trick, even though security experts have warned people for years against installing software updates from dubious sources and recommend checking all updates with antivirus to make sure there is no hacking or malware infection. Similar fake Adobe software updates were very popular many years ago and, unfortunately, remain effective today.
The dropper is distributed from the address hxxp: // 1dnscontrol [.] Com / flash_install.php. After that, the user downloads the install_flash_player.exe file, which requires administrative privileges on the system. What's funny is that he tries to get them using a standard user account control (UAC) query. When launched, the dropper retrieves the file-level cryptographic module infpub.dat (actually, the dll library), the disk-level cryptographic module dispci.exe, and the kernel mode driver cscc.dat (actually the legal dcrypt.sys driver).
After a user “independently” infects their computer, Bad Rabbit tries to spread over the local network using the mimikatz tool, which allows it to extract credentials from the local security authentication system in clear form, as well as an integrated list of credentials containing examples of least successful passwords. The attacks of the bad guys remain very effective, because “12345” and “password” for many years remain in the top of the most popular passwords.
As we already noted, Bad Rabbit uses two types of encryption - file and disk level. It does not imitate chkdsk.exe, as NonPetya did to mask encryption, and does not use the EternalBlue vulnerability in the Microsoft srv.sys file server, but can use the EternalRomance vulnerability in the Microsoft srv.sys file server. First, Bad Rabbit starts file level encryption (infpub.dat via rundll32) if it finds enough files for this. Then, in the Scheduler, he creates tasks for running dispci.exe to encrypt disks, and then restarts the system. After the first restart, dispci.exe prescribes an extended boot program at the end of the disk, which later takes over all the management functions using the infected MBR disk. Finally, the entire drive is encrypted,
What is curious - on computers with Windows 10, the module used for encryption often causes the appearance of a "blue screen of death" due to compatibility issues. Another point - when encrypting files, their extension does not change, which can disrupt the heuristic mechanisms used by some antiviruses that respond to extension changes. Bad Rabbit can also work offline, and potentially this means that it can infect other computers through flash drives.
The main goal of Bad Rabbit is companies and commercial enterprises, and at the moment we are already seeing a decrease in the level of infection. The malicious server is no longer active, and most infected sites that hosted the script for malicious Flash updates are currently disabled or cured. However, this does not mean that you can relax. A new attack can occur at any time.
We have been following the problem of ransomware for a long time and noticed that users most often rely on backups as the main tool for protecting their data. As you might guess, not only we, but also cybercriminals drew attention to this, therefore, almost all new ransomware programs try to delete or encrypt backup files as well. For example, Bad Rabbit, as seen in the screenshot above, attacks Acronis Backup files (* .tib).
Unfortunately for Bad Rabbit developers, starting with Acronis True Image 2017 New Generation, we provide reliable multi-level data protection using Active Protection technology, and the latest attack perfectly illustrates the effectiveness of our proactive technology. To repel an ransomware attack and protect user data, Active Protection does not need to be constantly updated, connected to the Internet, or use complex predefined rules. All this allows Acronis to provide the most secure backup in the world, providing the only solution that combines active and passive approaches to data protection.
How Acronis Active Protection fights Bad Rabbit and any cyber-extortion attempts
Let's take a step-by-step look at how Active Protection protects data from Bad Rabbit.
First of all, Acronis Active Protection detects malicious DLL modules launched through rundll32, recommends that the user block the malicious process, and automatically cancels all unauthorized changes.
Active Protection also detects and blocks malware attempts to modify the master boot record (MBR) of your hard drive.
Finally, the robust self-defense technologies included with Acronis Active Protection easily prevent Bad Rabbit or any other ransomware from encrypting backups.
Earlier this year, the self-defense function was independently tested in the Anti-malware-test.com laboratory and was recognized as very effective, while most other backup solutions are practically incapable of self-defense.
A reliable backup that can stop the ransomware program is an absolute must
Think about the fact that if the antivirus program fails and the malware encrypts the backups, your data will be lost forever.
Therefore, it is important to choose a backup solution that:
- Includes proactive technologies against ransomware such as Acronis Active Protection .
- It provides multi-layer protection that works at all stages of a potential attack: it warns, counteracts and restores.
- It offers reliable self-defense features that prevent the ransomware from endangering either local or cloud backups.
- It works quickly, as slow recovery means a loss of time and money. Acronis technologies have been independently tested to prove their competitive advantage over speed.
Reliable backup solutions from Acronis:
- For business - Acronis Backup 12.5
- For home users - Acronis True Image 2018
- For service providers - Acronis Backup Cloud