Recently a popular ransomware attack is growing like wildfire around Europe and has already affected over 200 major organizations, primarily in Russia, Ukraine, Turkey, and Germany, in the past few hours.
Dubbed "Bad Rabbit," is reportedly a new Petya-like targeted ransomware attack against corporate networks, demanding 0.05 bitcoin (~ $285) as ransom from victims to unlock their systems.
According to an opening analysis produced by the Kaspersky, the ransomware was distributed via drive-by download attacks, using fake Adobe Flash players installer to lure victims' in to install malware unwittingly
"No achievements meant used so the game would have to manually execute the malware dropper, which pretends to be an Adobe Flash installer. We’ve detected a number of compromised websites, all of which were news or media websites." Kaspersky Lab said.
However, security researchers at ESET have detected Bad Rabbit malware as 'Win32/Diskcoder.D' — a new variant of Petya ransomware, also known as Petrwrap, NotPetya, expert, and GoldenEye.
Bad Rabbit ransomware uses DiskCryptor, an open source full drive encryption software, to encrypt files on infected computers with RSA 2048 keys
ESET believes the new wave of ransomware attack is not using EternalBlue exploit — the leaked SMB vulnerability which was used by WannaCry and Petya ransomware to spread through networks.
Instead, it first scans the internal network for open SMB shares, tries a hardcoded list of commonly used credentials to drop malware, and also uses Mimikatz post-exploitation tool to extract credentials from the affected systems.
That ransom banknote, registered above, directs marks to log into a Tor onion website to make the payment, which displays a countdown of 40 hours before the price of decryption goes up.
The affected organizations include Russian news agencies Interfax and Fontanka, payment systems on the Kiev Metro, Odessa International Airport and the Ministry of Infrastructure of Ukraine.
Researchers are still analyzing Bad Rabbit ransomware to check if there is a way to decrypt computers without paying ransomware and how to stop it from spreading further.
Discoder/#BadRabbit IOCs as found by #ESET:
Dropper: https://t.co/JdPCv82HqVhttps://t.co/tax4VXgtBF
1dnscontrol[.]com/flash_install.php pic.twitter.com/Ak2zYDdLpW
— Jiri Kropac (@jiriatvirlab) October 24, 2017
How to Protect Yourself from Ransomware Attacks?
Discoder/#BadRabbit IOCs as found by #ESET:
Dropper: https://t.co/JdPCv82HqVhttps://t.co/tax4VXgtBF
1dnscontrol[.]com/flash_install.php pic.twitter.com/Ak2zYDdLpW
— Jiri Kropac (@jiriatvirlab) October 24, 2017Dropper: https://t.co/JdPCv82HqVhttps://t.co/tax4VXgtBF
1dnscontrol[.]com/flash_install.php pic.twitter.com/Ak2zYDdLpW
Kaspersky suggests disabling WMI service to prevent the malware from spreading over your network.
Most ransomware spread through phishing emails, malicious adverts on websites, and third-party apps and programs.
So, you should always exercise caution when opening uninvited documents sent over an email and clicking on links inside those documents unless verifying the source to safeguard against such ransomware infection.
Furthermore never download any app from third-party authorizations, and read reviews also before installing apps from trustworthy properties.
To regularly have a tight grip on your important data, keep a strict backup routine in the extent that makes their copies to an external storage device that isn't always connected to your PC.
Make sure that you run a good and effective anti-virus security suite on your system, and keep it up-to-date.
This is a developing story and so, stay tuned for updated information.
source = THN
this is awesome news bro thank u for sharing
ReplyDeleteEnjoy #be alert
DeleteI have a picture in my head of Donald Trump, sitting in front of a bunch of generals asking "Well, let's hack them back. We can do that, right?"
ReplyDeleteawesome informant bro... thank u
ReplyDelete