A ransomware attack has put a halt to business inside a handful of Russian media outlets and a number of major organizations in the Ukraine, including Kiev’s public transportation system and the country’s Odessa airport.
The attacks are known as Bad Rabbit and harken back to the ExPetr/NotPetya attacks of this summer which also concentrated in Ukraine and Russia, but instead spread wiper malware used in the Petya attacks of 2016.
Today’s outbreak is spreading via drive-by download attacks from legitimate news sites, according to researchers at Kaspersky Lab who published an analysis on Securelist. Russia’s Interfax is one such agency reporting its services are down because of the attack. Host sites are infected with a dropper in the guise of a phony Adobe Flash Player installer. Kaspersky Lab said it has observed victims in Turkey and Germany as well, counting almost 200 targets.
There are no exploits involved in this attack, Kaspersky Lab said, and victims must manually launch the downloaded file named install_flash_player.exe. The executable requires elevated privileges to run, and uses a Windows UAC prompt to obtain them, again with the victim’s permission. If the executable runs as expected, it grabs a file-encrypting malware called infpub.dat, Kaspersky Lab said, adding that the file may be capable of brute-forcing NTLM login credentials for Windows machines with pseudorandom IP addresses.
“This ransomware infects devices through a number of hacked Russian media websites. Based on our investigation, this has been a targeted attack against corporate networks, using methods similar to those used during the ExPetr attack,” Kaspersky Lab said in a statement. “However, we cannot confirm it is related to ExPetr. We continue our investigation.”
ExPetr emerged in late June and was quickly scrutinized as more dangerous than WannaCry, which spread globally just a month earlier. Like WannaCry, the attackers behind ExPetr used the leaked NSA exploit EternalBlue to spread the malware. In the early hours of the attack, Danish shipping giants Maersk and Russian oil company Rosneft were reporting infections and impacts to their respective businesses. It was eventually determined that ExPetr was not a ransomware attack, but a wiper.
The infpub.dat file prominent in today’s attack will also install another malicious executable called dispci.exe. It creates tasks in the registry to launch the executable; the tasks are named after the dragons in Game of Thrones: Viserion, Drogon and Rhaegal. There’s also a reference to a Game of Thrones character GrayWorm in the code.
“The executable dispci.exe appears to be derived from the code base of the legitimate utility DiskCryptor,” Kaspersky Lab said. “It acts as the disk encryption module which also installs the modified bootloader and prevents the normal boot-up process of the infected machine.”
#BadRabbit ransomware uses the code from DiskCryptor (a legitimate utility for disk encryption).
— Anton Ivanov (@antonivanovm) October 24, 2017
DiskCryptor is a freely available open source full disk encryption system for Windows, and can be used to encrypt a hard drive or partitions.
Victims are presented with a ransom demand of 0.05 Bitcoin, a timer counting down toward an hour when the price goes up.
Researchers at ESET, meanwhile, have said that the disk encryption executable can be spread via SMB. The Mimikatz pen-testing tool is also aunched on the compromised machine and steals credentials in addition to a list of hardcoded usernames and passwords.