Ransom:Win32/Tibbar.A
Alert level: SEVEREDetected with Windows Defender Antivirus
Also detected as: Win32/Diskcoder.D (ESET)
Summary
Windows Defender Antivirus detects and removes this threat with protection update 1.255.29.0 and higher.
This ransomware attempts to reboot your PC so it can encrypt your files. You might be able to stop your PC from rebooting and instead shut it down or run a Windows Defender Offline scan:
- Check event logs for the following IDs: 1102 and 106
- Event 1102 indicates that the audit log has been cleared, so previous activities can’t be seen.
- Event 106 indicates that scheduled tasks “drogon” and “Rhaegel” have been registered (these are ransomware wipers)
- If events 1102 and 106 are present, issue a shutdown -a to prevent a reboot
You can also immediately initiate a Windows Defender Offline scan by using PowerShell or the Windows Defender Security Center app.
This ransomware can stop you from using your PC or accessing your data. It might ask you to pay money to a malicious hacker.
This threat is also known as Bad Rabbit.
Our ransomware FAQ page has more information on this type of threat.
This threat appears as a fake Adobe Flash Player update.
What to do now
Microsoft doesn’t recommend you pay the ransom. There is no guarantee that paying the ransom will give you access to your files.
If you’ve already paid, see our ransomware page for help on what to do now.
Review logs and shutdown or run Windows Defender Offline
This ransomware attempts to reboot your PC so it can encrypt your files. You might be able to stop your PC from rebooting and instead shut it down or run a Windows Defender Offline scan:
- Check event logs for the following IDs: 1102 and 106
- Event 1102 indicates that the audit log has been cleared, so previous activities can’t be seen.
- Event 106 indicates that scheduled tasks “drogon” and “Rhaegel” have been registered (these are ransomware wipers)
- If events 1102 and 106 are present, issue a shutdown -a to prevent a reboot
You can also immediately inititate a Windows Defender Offline scan by using PowerShell or the Windows Defender Security Center app.
Run antivirus or antimalware software
Use the following free Microsoft software to detect and remove this threat:
- Windows Defender Antivirus for Windows 8.1 and Windows 10, or Microsoft Security Essentials for Windows 7 and Windows Vista
You should also run a full scan. A full scan might find hidden malware.
Advanced troubleshooting
To restore your PC, you might need to download and run Windows Defender Offline. See our advanced troubleshooting page for more help.
You can also ask for help from other PC users at the Microsoft virus and malware community.
If you’re using Windows XP, see our Windows XP end of support page.
Use cloud protection
Use cloud protection to help guard against the latest malware threats. It’s turned on by default for Microsoft Security Essentials and Windows Defender for Windows 10.
Go to All settings > Update & security > Windows Defender and make sure that your Cloud-based Protection settings is turned On.
Technical information
Threat behavior
Installation
This threat can arrive when visiting compromised websites or if you click a fake Adobe Flash Update:
When clicked, this file (we have seen SHA1:de5c8d858e6e41da715dca1c019df0bfb92d32c0) drops the file infpub.dat(SHA1: 79116fe99f2b421c52ef64097f0f39b815b20907) into the %SystemRoot% folder and runs it as “rundll32.exe %SystemRoot%\infpub.dat,#1 15″.
It then drops the file cscc.dat in %windows%. This file is a driver for an open-source encryption solution, DiskCryptor. It then writes “cscc” into the registry:
- Write “cscc” to HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{71A27CDD-812A-11D0-BEC7-08002BE2092F}\LowerFilters
- Write “cscc” to KEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\UpperFilters
- Write “cscc” to HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CrashControl\DumpFilters
It also drops a malicious version of the DiskCryptor program (dispci.exe, we have seen SHA1: afeee8b4acff87bc469a6f0364a81ae5d60a2add) into %SystemRoot%.
The infpub.dat file starts the encryption with the following commands by using cmd.exe:
- cmd.exe schtasks /Delete /F /TN rhaegal
- cmd.exe schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR “C:\Windows\system32\cmd.exe /C Start \”\” \”C:\Windows\dispci.exe\” -id 1082924949 && exit”
- cmd.exe /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR “C:\Windows\system32\shutdown.exe /r /t 0 /f” /ST 17:14:00
- cmd.exe /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
- cmd.exe /c schtasks /Delete /F /TN drogon
As part of the process, it creates a number of scheduled tasks to run the encryption program at every Windows start, reboot the computer, delete or modify the history of file changes, and then delete the scheduled tasks.
Payload
Encrypts files
This ransomware overwrites starts encrypting user content and then overwrites the Master Boot Record (MBR).
It searches each drive and encrypts files with the following extensions:
.3ds, .7z, .accdb, .ai, .asm, .asp, .aspx, .avhd, .back, .bak, .bmp, .brw, .c, .cab, .cc, .cer, .cfg, .conf, .cpp, .crt, .cs, .ctl, .cxx, .dbf, .der, .dib, .disk, .djvu, .doc, .docx, .dwg, .eml, .fdb, .gz, .h, .hdd, .hpp, .hxx, .iso, .java, .jfif, .jpe, .jpeg, .jpg, .js, .kdbx, .key, .mail, .mdb, .msg, .nrg, .odc, .odf, .odg, .odi, .odm, .odp, .ods, .odt, .ora, .ost, .ova, .ovf, .p12, .p7b, .p7c, .pdf, .pem, .pfx, .php, .pmf, .png, .ppt, .pptx, .ps1, .pst, .pvi, .py, .pyc, .pyw, .qcow, .qcow2, .rar, .rb, .rtf, .scm, .sln, .sql, .tar, .tib, .tif, .tiff, .vb, .vbox, .vbs, .vcb, .vdi, .vfd, .vhd, .vhdx, .vmc, .vmdk, .vmsd, .vmtm, .vmx, .vsdx, .vsv, .work, .xls, .xlsx, .xml, .xvd, .zip
Demands payment
After a forced reboot, you are locked out of your PC and coerced into purchasing a key to regain access. This message appears on your PC and you can’t log in to Windows:
The message says:
Oops! Your files have been encrypted.
If you see this text, your files are no longer accessible.
You might have been looking for a way to recover your files.
Don’t waste your time. No one will be able to recover them without our
decryption service.
We guarantee that you can recover all your files safely. All you
need to do is submit the payment and get the decryption password.
Visit our web service at <TOR .onion address>
Your personal installation key#<number>:
<key>
If you have already got the password, please enter it below.
Password#<number>
Going to the provided .onion address provides a screen similar to the following:
Attempts to spread through the network
The ransomware tries to connect to the network, so it can infect files on other computers. It uses a hardcoded set of usernames and passwords to try to brute force into the network:
Usernames:
|
|
|
Passwords:
|
|
|
Additional information
We used the following samples in our analysis:
Prevention
Take these steps to help prevent infection on your PC.
Symptoms
Indicators of compromise
- Presence of the following files in %SystemRoot%:
- infpub.dat
- cscc.dat
- dispci.exe
A notification similar to the following screenshot is displayed:
- You can’t access your files or your PC