#CyberSecurityPulse: Last Update About Bad Rabbit Ransomware

ElevenPaths    31 October, 2017

On October 24th infections about a ransomware called Bad Rabbit began to spread. Less than one day, it has been targeting organizations and consumers, mostly in Russia, Ukraine, Turkey, Bulgaria and the United States.
The ransomware dropper was distributed with the help of drive-by attacks. While the target is visiting a legitimate website, a malware dropper is being downloaded from the threat actor’s infrastructure. No exploits were used, so the victim would have to manually execute the malware dropper, which pretends to be an Adobe Flash installer.

However, Bad Rabbit uses the EternalRomance exploit as an infection vector to spread within corporate networks. The same exploit was used in the ExPetr. This been a targeted attack against corporate networks, using methods similar to those used during the ExPetr attack. The code analysis showed a notable similarity between the code of ExPetr and Bad Rabbit binaries.
Analyzing the sample, it looks like the criminals behind this malware are fans of the famous books and TV show series Game Of Thrones. Some of the strings used throughout the code are the names of different characters from this series. They have also discovered that files encrypted by Bad Rabbit can be recovered with following specific procedures: “We have discovered that Bad Rabbit does not delete shadow copies after encrypting the victim’s files. It means that if the shadow copies had been enabled prior to infection and if the full disk encryption did not occur for some reason, then the victim can restore the original versions of the encrypted files by the means of the standard Windows mechanism or 3rd-party utilities”.

Top Stories

Dutch Privacy Regulator Says Windows 10 Breaks the Law

The lack of transparency about what Microsoft does with the data that Windows 10 collects prevents consumers from giving their informed consent, says the Dutch Data Protection Authority (DPA). To comply with the law, the DPA says that Microsoft must be clearer about what data is collected and how that data is processed and respect previously chosen settings about data collection.

» More information at Arstechnica

The CSE of Canada Releases a Malware-fighting Tool to the Public

The Communications Security Establishment (CSE) releases one of its own cyber defence tools to the public, in a bid to help companies and organizations better defend their computers and networks against malicious threats. Assemblyline is an open-source malware analysis tool that, according CSE, is used to protect the Canadian government’s sprawling infrastructure each day.

» More information at Bitbucket
Rest of the Week´s News

Microsoft Releases the Open Source Scanning Tool Sonar

Microsoft announced the availability of Sonar, an open source linting and website scanning tool that was developed by the Microsoft Edge team. Sonar is a linting tool that analyzes the code for a wide range of issues, including related to coding errors, performance, accessibility, security, Progressive Web Apps (PWA), and interoperability.

» More information at Github

APT28 Racing to Exploit Flash Vulnerability Before Patches Are Deployed

The CVE-2017-11292 Adobe Flash vulnerability allows attackers to make use of a bug which can lead to code execution on Windows, Mac, Linux, and Chrome OS systems. As a result, attackers are moving quickly to exploit it while they can and researchers at Proofpoint have attributed a campaign designed to spread trojan malware using the vulnerability to APT28.

» More information at Proof of Point

Further Reading

Google Play Bounty Promises $1,000 Rewards for Flaws in Popular Apps

» More information at Google Play

FBI’s Recruitment Strategy For Cybersecurity Pros Focuses on High School

» More information at Cyberscoop

DUHK Attack Lets Hackers Recover Encryption Key Used in VPNs & Web Sessions

» More information at The Hacker News

Leave a Reply

Your email address will not be published.