News Categories

Kaspersky Lab, Avast and Check Point Software share Bad Rabbit insight (Updated)

By Nickey Ross - on 27 Oct 2017, 12:50pm

Kaspersky Lab, Avast and Check Point Software share Bad Rabbit insight (Updated)

Image source: HackRead.

Updated on October 27, 2017, 12:50pm: Avast, in addition to Kaspersky Lab and Check Point Software has also provided some valuable information regarding the recent Bad Rabbit attacks that have been plaguing certain parts of Europe. Avast Threat Labs suggests that users in 15 countries have been targeted, with the number one country being Russia, followed by Ukraine and Bulgaria. Other European nations like Romania and Poland were also affected as well as the United States, though the detection rate in each of those countries were only one percent or lower.

In addition to gaining money from its attacks, Bad Rabbit also possesses the capabilities to disable operations of a business. 

Once the ransomware gets a hold of a computer, it will try to spread within the connected network to infect even more computers. Besides that, Bad Rabbit's got a set of default login and password combinations for lateral movement within the local network. Mimikatz is used to obtain other combinations from an infected computer, which is also a tactic employed by NotPetya. 

The SMB protocol enables the ransomware to move laterally, though unlike WannaCry and NotPetya, there were no exploits used. Bad Rabbit depends on either obtained passwords, a dictionary attack and logins, or a completely open network share to disperse itself.

Mimikatz exploits a process in Windows called LSASS (Local Security Authority Subsystem Service) that collects passwords and hashes during numerous authentication processes. If a shared folder on a different computer needs to be accessed for instance, a username and password would have to be keyed in.

The data is stored in LSASS so they would not have to be entered again. LSASS' memory is scanned to search for credential pairs and then, they are extracted. It can be used to allow access to remote shares, which is exactly what Bad Rabbit needs to encrypt remote shares or infect more devices.

Avast recommends running LSASS in a protected mode on Windows systems 8.1 and higher to deter Mimikatz from operating.  However, the feature is not turned on by default. 

In terms of file encryption, both the disk and files on the infected computer will be encrypted by the ransomware. Firstly, files are encrypted with the help of Windows cryptography Crypto-API while a disk cryptor software called Diskcrypt is installed on the PC at the same time. The infected PC will then be ready for a reboot where the disk encryption will commence after.

During the installation of Diskcryptor, a new service called "cscc" is installed by the ransomware.  When it came to file encryption, original files were encrypted in their original location, meaning that recovering those files would be extremely difficult without the decryption key. 

Files are encrypted by Bad Rabbit through AES-128, which is pretty tough to the point where it cannot be decrypted via brute force. The encryption key is a 33-byte key randomly generated through CryptGenRandom. It is then converted to a 32-character password before being passed on to a MD5 hash. The files encrypted by Bad Rabbit were not corrupted, unlike the files affected by NotPetya.

To avoid detection from antiviruses, Bad Rabbit utilizes complex command lines to fool command line parsers. The antivirus software would have been able to detect the disk encryption software if hackers had used the actual command line. An example of a false command line would be "C:\Windows\system32\cmd.exe /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR" , where a reference from Game of Thrones can be seen.


Originally published on October 27 at 6:21pm:

As we reported yesterday, the Bad Rabbit epidemic has been targeting businesses in parts of Europe.

Regarding the epidemic, Kaspersky Lab has mentioned that many victims in Russia were targeted and that devices were infected with the ransomware through a number of Russian media websites that were also hacked. Kaspersky Lab suggests that this has been a targeted attack on corporate networks using tactics similar to those employed during the NotPetya attack. Kaspersky Lab's products identify the attack with these verdicts:

  • UDS:DangerousObject.Multi.Generic (detected by Kaspersky Security Network)
  • PDM:Trojan.Win32.Generic (detected by System Watcher)
  • Trojan-Ransom.Win32.Gen.ftl

Kaspersky Lab is encouraging its corporate customers to ensure that all protection mechanisms are active. in addition to making sure that KSN and System Watcher components that are enabled by default remain that way. The cybersecurity firm also urges users that aren't using their security solutions to inhibit execution of files with paths c:\windows\infpub.dat and C:\Windows\cscc.dat using the System Administrator’s components.

Check Point Software also weighed in on the attack, saying that the Bad Rabbit ransomware is new. It also touches on another security risk, crypto mining of crypto-currencies such as Bitcoin or Ethereum that uses up CPU  (and GPU) power in the process. There are other hazards like KRACK WiFi, the ROCA factorization attack as well as the DUHK cryptographic vulnerability as well.

It has been discovered that crypto-currency miners infuse code into prominent websites with web streaming and sharing without knowledge of the users, utilizing up to 65 percent of their CPU power.

Besides that, crypto-mining malware attacks are also on the rise. Disturbingly, hackers are also able to use the web browser of an unsuspecting user to mine crypto-currencies. For instance, the CoinHive hack via leaked passwords demonstrate how easy it is to hack with just a javascript code and DNS.

Additionally, Kaspersky Lab uploaded a video that shows how the Bad Rabbit ransomware operates, which can be seen below.

For more tech news, follow us here.