Friday 27 October 2017

Bad Rabbit Ransomware or Evolution of NotPetya

BadRabbit launched on the morning of Tuesday, October 24, 2017 was delivered through drive-by downloads of the fake Adobe Flash Player installer from the hacked websites. The installer came undetected with a Symantec digital certificate and 1 out of 65 detection rate on VirusTotal. The Bad Rabbit ransomware having the similar set of features and code snippets to the NotPetya wiper can be considered like its new version supposedly created by the same author. In the new version, the legitimate DiskCryptor driver used to install the bootloader and encrypt the hard disk volumes in a hidden way.

Main outcomes:
  • The BadRabbit is a new version of NotPetya, supposedly written by the same author;
  • It's a cryptolocker - you can unlock the computer and decrypt the data only by paying 0.05 BTC;
  • This is not a targeted attack, unlike NotPetya
  • The BadRabbit is distributed over the local network using the EternalRomance vulnerability in SMB1, WMI, WebDAV, brute-force with simple passwords through NTLMSSP
  • The BadRabbit uses the legitimate DiskCryptor driver
Read the full report for more details.

Monday 2 October 2017

VB2017: Battlefield Ukraine

This summer, Ukraine unwillingly became the battlefield of the hacker group(s) with the supposedly Russian roots and the antivirus industry. This is not the first time when Ukraine attracts attention of cyber security experts. Suffice it to recall in this regard the several waves of cyber attacks against critical infrastructure of Ukraine using the BlackEnergy [1] and Industroyer [2,3] industrial malware supposedly created by a Russian hacker group.