BadRabbit virus attacked the Ukraine and Russia. The main thing

Вирус BadRabbit атаковал Украину и Россию. Главное

BadRabbit virus attacked the Ukraine

The experts found the relationship of the new virus with Petya and told how to protect ourselves from it.

BadRabbit virus that has spread on 24 October in Ukraine and Russia and also affected some other countries, was a relative of the acclaimed the cipher Petya.

Cybersecurity experts found out that the creators had planned BadRabbit infection for several days, and victims were to become the big banks.

Despite the fact that the epidemic went on recession, the experts on information security to spread advice on how to protect themselves from attack BadRabbit.

Wave BadRabbit

24 Oct after lunch on the hacker attack consistently complained to the Metropolitan of Kiev, Odessa airport, the news Agency Interfax and online publication and the

As reported in the international company Group-IB, investigating cybercrime virus will also tried to attack the largest banks of Russia. However, their security system has coped with BadRabbit.

The bulk of the infections occurred in the Russian BadRabbit computers, slightly less than Ukraine had to suffer. Attacks also complained in Germany, Turkey and Bulgaria, said Kaspersky Lab.

Russia accounted for 65 percent of the attacks, Ukraine is 12.2 percent, Bulgaria – 10.2%, Turkey – 6.4%, Japan 3.8%, other country – 2.4 percent.

As seen in the photos of blocked computers hackers recommend “not waste time” trying to recover the files. The attackers promised to restore access for 0.05 bitcoin (around $ 280).

At the same time, according to information on the screen, a little more than 40 hours cost of transcripts for each PC increases.

In the SBU announced the blocking of the proliferation threats in the night from 24 to 25 October. They noted that the virus is distributed using phishing emails with a return address, which is associated with the Microsoft support.

It is noteworthy that on 12 October, the security service warned about the likelihood of new large-scale cyber attacks on government agencies and private companies.


Rabbit made reference to Game of thrones

According to the company, Proofpoint, BadRabbit distributed through fake update of Adobe Flash Player.

The virus code contains references to Game of thrones: it mentions the names of the dragons Drogon, Regalia and Viserion, said the expert in the field of computer security Kevin Buman.

The virus encrypts a wide range of files including .doc .docx, .jpg, notes McAfee. According to information on the Adobe website, 16 October, she released a security update for Adobe Flash Player.

“After sunset on the infected resource, the user was asked to update flash player. In the case of pressing the button the data on his computer were encrypted. The virus will also steal passwords from their device and use them to encrypt other computers that are located on the same network”, – told RBC Deputy head of the laboratory of computer forensics, Group-IB Sergey Nikitin.

In Group-IB found out that the IP of the domain, distributing viruses is associated with five resources, the owners of which was the many other sites, including Pharma-affiliate (sites that sell fake medicines through the spam).

Download of the malware came from the resource – IP, according to the website of Group-IB. His domain name was registered March 22, 2016 and shall be extended until now.

“It involves a lot of other malicious domains, the first activity which dates back to 2011,” – noted experts.


Relative Petya

According to Group-IB, a cyber attack was carefully planned and prepared for several days.

In particular, one of the java-scripts involved in the infection, was last updated on 19 November, that is five days prior to the epidemic.

Experts on cyber security have noted the similarity BadRabbit with virus-cryptographer Petya, also known as Petya A, ExPetr and Not.Petya.

The developers of antivirus software, ESET said Газете.Ru that attack used malicious software Diskcoder.D, which is a modification of virus-encoder Not.Petya – it was used in the cyber attack on the Ukrainian company this summer.

Вирус BadRabbit атаковал Украину и Россию. Главное

The attack of the virus

In addition, the virus provides a hard-coded list of credentials.

In Group-IB also confirmed the relationship BadRabbit and Petya. Experts report a modified version of the virus, which was fixed encryption algorithm.

Kaspersky lab also sees a new virus some similarities with Petya, but the relationship with him is not yet confirmed.


The third epidemic for the year

BadRabbit was the third virus epidemic in 2017. In may, the virus-the Trojan 200 WannaCry attacked thousands of computers in over 150 countries. Then the researchers came to the conclusion that the attackers are North Korean hackers of Lazarus.

Then on June 27 the virus Petya (NotPetya and ExPetr) 12.5 infiltrated thousands of computers in 65 countries. Researchers have linked him with a group of BlackEnergy.

Petya was busily infiltrating computers with the Windows operating system where no patches have been applied, the contents of encrypted hard drives and demanded a ransom for the decryption in the amount of $ 300 in bitcoins.

But the main feature Petya was revealed a few days later. Attacked the company all over the world the virus was not an extortionist. It is permanently encrypted files, and the ability to regain access to them in the code of the virus is just not provided.

Petya spread through the Ukrainian company M.E.Doc developing the reporting system and document management. For infecting the corporate network is a very vulnerable machine that does not have security updates.


How to protect against encryption ransomware:

– for both domestic and corporate users need to update security (including antivirus) and the operating system together with the appearance of their new versions;

– to create backup copies of your data. They will allow you to restore files and infected hard disk you can simply format;

– do not open suspicious emails coming to a mailbox;

– do not download software from unknown or suspicious sources;

– do not insert into the computer the unknown USB sticks or other media;

– if computer has already started encrypted, then you need to immediately shut down.


If attacked BadRabbit:

– quickly isolate the computers that are specified in the tickets, if any, and verify the relevance and integrity of backup copies of key network nodes;

– update operating systems and security;

– block ip addresses and domain names in which there was a spread of malicious files;

– what to do with passwords:

1. The group policy settings disable the storage of passwords in LSA Dump in the clear

2. Change all passwords on a difficult to prevent Brutus in the dictionary;

– put your pop-up blocker;

– to use modern means of intrusion detection and sandboxing for file analysis.

– prohibit the following tasks: viserion_, rhaegal, drogon.