13 Kasım 2024 Çarşamba
Ana SayfaMICROSOFT AZUREBad Rabbit Ransomware

Bad Rabbit Ransomware

Ransom:Win32/Tibbar.A

Alert level: SEVEREDetected with Windows Defender Antivirus

Also detected as: Win32/Diskcoder.D (ESET)

Summary


Windows Defender Antivirus detects and removes this threat with protection update 1.255.29.0 and higher.

This ransomware attempts to reboot your PC so it can encrypt your files. You might be able to stop your PC from rebooting and instead shut it down or run a Windows Defender Offline scan:

    • Check event logs for the following IDs: 1102 and 106
    • Event 1102 indicates that the audit log has been cleared, so previous activities can’t be seen.
    • Event 106  indicates that scheduled tasks “drogon” and “Rhaegel” have been registered (these are ransomware wipers)
    • If events 1102 and 106 are present, issue a shutdown -a to prevent a reboot

      You can also immediately initiate a Windows Defender Offline scan by using PowerShell or the Windows Defender Security Center app.

      This ransomware can stop you from using your PC or accessing your data. It might ask you to pay money to a malicious hacker.

      This threat is also known as Bad Rabbit.

      Our ransomware FAQ page has more information on this type of threat.

      This threat appears as a fake Adobe Flash Player update.

      What to do now


      Microsoft doesn’t recommend you pay the ransom. There is no guarantee that paying the ransom will give you access to your files.

      If you’ve already paid, see our ransomware page for help on what to do now.

      Review logs and shutdown or run Windows Defender Offline

      This ransomware attempts to reboot your PC so it can encrypt your files. You might be able to stop your PC from rebooting and instead shut it down or run a Windows Defender Offline scan:

    • Check event logs for the following IDs: 1102 and 106
    • Event 1102 indicates that the audit log has been cleared, so previous activities can’t be seen.
    • Event 106  indicates that scheduled tasks “drogon” and “Rhaegel” have been registered (these are ransomware wipers)
    • If events 1102 and 106 are present, issue a shutdown -a to prevent a reboot

      You can also immediately inititate a Windows Defender Offline scan by using PowerShell or the Windows Defender Security Center app.

      Run antivirus or antimalware software

      Use the following free Microsoft software to detect and remove this threat:

    • Windows Defender Antivirus  for Windows 8.1 and Windows 10, or Microsoft Security Essentials for Windows 7 and Windows Vista
    • You should also run a full scan. A full scan might find hidden malware.

      Advanced troubleshooting

      To restore your PC, you might need to download and run Windows Defender Offline. See our advanced troubleshooting page for more help.

      You can also ask for help from other PC users at the Microsoft virus and malware community.

      If you’re using Windows XP, see our Windows XP end of support page.

      Use cloud protection

      Use cloud protection to help guard against the latest malware threats. It’s turned on by default for Microsoft Security Essentials and Windows Defender for Windows 10. 

      Go to All settings > Update & security > Windows Defender and make sure that your Cloud-based Protection settings is turned On.

      Technical information


      Threat behavior

      Installation

      This threat can arrive when visiting compromised websites or if you click a fake Adobe Flash Update:

      When clicked, this file (we have seen SHA1:de5c8d858e6e41da715dca1c019df0bfb92d32c0) drops the file infpub.dat(SHA1: 79116fe99f2b421c52ef64097f0f39b815b20907) into the %SystemRoot% folder and runs it as “rundll32.exe %SystemRoot%\infpub.dat,#1 15″.

      It then drops the file cscc.dat in %windows%. This file is a driver for an open-source encryption solution, DiskCryptor. It then writes “cscc” into the registry:

    • Write “cscc” to HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{71A27CDD-812A-11D0-BEC7-08002BE2092F}\LowerFilters
    • Write “cscc” to KEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\UpperFilters
    • Write “cscc” to HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CrashControl\DumpFilters

      It also drops a malicious version of the DiskCryptor program (dispci.exe, we have seen SHA1: afeee8b4acff87bc469a6f0364a81ae5d60a2add) into %SystemRoot%.

      The infpub.dat file starts the encryption with the following commands by using cmd.exe:

    • cmd.exe schtasks /Delete /F /TN rhaegal
    • cmd.exe schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR “C:\Windows\system32\cmd.exe /C Start \”\” \”C:\Windows\dispci.exe\” -id 1082924949 && exit”
    • cmd.exe /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR “C:\Windows\system32\shutdown.exe /r /t 0 /f” /ST 17:14:00
    • cmd.exe /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
    • cmd.exe /c schtasks /Delete /F /TN drogon

      As part of the process, it creates a number of scheduled tasks to run the encryption program at every Windows start, reboot the computer, delete or modify the history of file changes, and then delete the scheduled tasks.

      Payload

      Encrypts files

      This ransomware overwrites starts encrypting user content and then overwrites the Master Boot Record (MBR).

      It searches each drive and encrypts files with the following extensions:

      .3ds, .7z, .accdb, .ai, .asm, .asp, .aspx, .avhd, .back, .bak, .bmp, .brw, .c, .cab, .cc, .cer, .cfg, .conf, .cpp, .crt, .cs, .ctl, .cxx, .dbf, .der, .dib, .disk, .djvu, .doc, .docx, .dwg, .eml, .fdb, .gz, .h, .hdd, .hpp, .hxx, .iso, .java, .jfif, .jpe, .jpeg, .jpg, .js, .kdbx, .key, .mail, .mdb, .msg, .nrg, .odc, .odf, .odg, .odi, .odm, .odp, .ods, .odt, .ora, .ost, .ova, .ovf, .p12, .p7b, .p7c, .pdf, .pem, .pfx, .php, .pmf, .png, .ppt, .pptx, .ps1, .pst, .pvi, .py, .pyc, .pyw, .qcow, .qcow2, .rar, .rb, .rtf, .scm, .sln, .sql, .tar, .tib, .tif, .tiff, .vb, .vbox, .vbs, .vcb, .vdi, .vfd, .vhd, .vhdx, .vmc, .vmdk, .vmsd, .vmtm, .vmx, .vsdx, .vsv, .work, .xls, .xlsx, .xml, .xvd, .zip

      Demands payment

      After a forced reboot, you are locked out of your PC and coerced into purchasing a key to regain access. This message appears on your PC and you can’t log in to Windows:

      The message says:

      Oops! Your files have been encrypted.

      If you see this text, your files are no longer accessible.

      You might have been looking for a way to recover your files.

      Don’t waste your time. No one will be able to recover them without our

      decryption service.

      We  guarantee that you can recover all your files safely. All you

      need to do is submit the payment and get the decryption password.

      Visit our web service at <TOR .onion address>

      Your personal installation key#<number>:

      <key>

      If you have already got the password, please enter it below.

      Password#<number>

      Going to the provided .onion address provides a screen similar to the following:

      Attempts to spread through the network 

      The ransomware tries to connect to the network, so it can infect files on other computers. It uses a hardcoded set of usernames and passwords to try to brute force into the network:

      Usernames:

  • Admin
  • Administrator
  • alex
  • asus
  • backup
  • boss
  • buh
  • ftp
  • ftpadmin
  • ftpuser
  • Guest
  • manager
  • nas
  • nasadmin
  • nasuser
  • netguest
  • operator
  • other user
  • rdp
  • rdpadmin
  • rdpuser
  • root
  • superuser
  • support
  • Test
  • User
  • User1
  • user-1
  • work

Passwords:

  • 111111
  • 123
  • 123321
  • 1234
  • 12345
  • 123456
  • 1234567
  • 12345678
  • 123456789
  • 1234567890
  • 321
  • 55555
  • 777
  • 77777
  • Admin
  • Admin123
  • admin123Test123
  • Administrator
  • administrator
  • Administrator123
  • administrator123
  • adminTest
  • god
  • Guest
  • guest
  • Guest123
  • guest123
  • love
  • password
  • qwe
  • qwe123
  • qwe321
  • qwer
  • qwert
  • qwerty
  • qwerty123
  • root
  • secret
  • sex
  • test
  • test123
  • uiop
  • User
  • user
  • User123
  • user123
  • zxc
  • zxc123
  • zxc321
  • zxcv
Additional information

We used the following samples in our analysis:

Ömer Koçyiğit | IT Blog
Ömer Koçyiğit | IT Bloghttps://www.omerkocyigit.com
İstanbul Doğumluyum, 17+ yıldır Bilgi Teknolojileri sektörü içerisindeyim. Beykent Üniversitesi Bilgisayar Bölümü, Anadolu Üniversitesi işletme bölümü ve sonrasında Beykent Üniversitesi Yönetim Bilişim Sistemleri (Yüksek Lisans) bölümünden mezun oldum.
BENZER YAZILAR

Popüler Yazılar

Son Yorumlar