Researchers at Kaspersky Lab has discovered that some victims may be able to recover their files without paying any ransom.
The discovery was made by that analyzed the encryption functionality implemented by the ransomware: the Bad Rabbit leverages the open source library DiskCryptor in order to encrypt the user files, but uses the same screen to allows victims who have received the decryption key to enter it and boot their system.
Kaspersky’s researchers discovered that after the ransomware create the decryption key, this isn’t wiped from memory.
The symmetric encryption keys are securely generated on the ransomware side which makes attempts to guess the keys unfeasible in practice.
However, we found a flaw in the code of dispci.exe:
the malware doesn’t wipe the generated password from the memory, which means that there is a slim chance to extract it before the dispci.exe process terminates.
Unfortunately, there is only a “slim chance” that victims will be able to extract the password.
However, Bad Rabbit does not delete shadow copies, allowing victims to restore the files through this windows backup functionality:
We have discovered that Bad Rabbit does not delete shadow copies after encrypting the victim’s files. It means that if the shadow copies had been enabled prior to infection and if the full disk encryption did not occur for some reason, then the victim can restore the original versions of the encrypted files by the means of the standard Windows mechanism or 3rd-party utilities.
A wave of ransomware infections is hitting hundreds of government, media, transportation, and other targets in Eastern Europe today mainly in Russia and Ukraine, but also in Bulgaria, Germany, and Turkey.
Among the most high-profile targets thus far are major news outlets such as Russia’s Interfax Agency, and Ukraine’s Kiev Metro, its Odessa International Airport, and ministries of infrastructure and finance.
US-CERT discourages individuals and organizations from paying the ransom, as this does not guarantee that access will be restored. Using unpatched and unsupported software may increase the risk of proliferation of cybersecurity threats, such as ransomware.
BadRabbit was first spotted attacking Russian media outlets on Tuesday, including the news agency Interfax, according to security firm Group-IB, which posted a screenshot of the ransom screen. Other security firms have followed with their own early research and detections, with the consensus being that the malware is a variant of the Petya ransomware.
According to our findings, the attack doesn’t use exploits. It is a drive-by attack: Victims download a fake Adobe Flash installer from infected websites and manually launch the .exe file, thus infecting themselves.
Countries we know to be impacted so far are Russia, Ukraine, Turkey, Bulgaria, and Germany, with attacks centered on targets as wide-ranging as infrastructure, transportation, and media outlets.
The dropper is an executable that pretends to be a Flash update. The malware must run with Administration privileges, but no UAC bypass technique has been deployed — it relies purely on social engineering, trying to convince the user to elevate it.
A new massive ransomware campaign is rapidly spreading around Europe, the malware dubbed Bad Rabbit has already affected over 200 major organizations mainly in Russia, Ukraine, Germany, Japan, and Turkey in a few hours.
Initial reports peg the main casualties as transport systems and media outlets in Ukraine and Russia. The Ukranian arm of CERT (CERT-UA) has also issued an advisory warning of further potential ransomware attacks.
Vaccination for the Ukraine round 2? Wanna stop #badrabbit? Create a file called c:windowsinfpub.dat and remove all write permissions for it. This should keep the malware from encrypting. Testing it now… pic.twitter.com/3MSSH8WKPb
Six Python tools useful for identify and analyse malware
Python is a very used scripting language in the field of computer forensics and malware analysis.
Today, we look at some of the tools developed in this scripting language that are useful in the analysis of malicious programs.
A command line tool to analyse malware, developed by Joxean Koret.
It does have support for hexadecimal viewing and disassembly PE and ELF file formats , follows direct call/jmp instructions in the interactive command line, displays function names and string data references.
It also supports plugins to add more features.
Spread of Wannacry Ransomware has been slowed simply registering a domain name
In these hours everyone is writing something about Wannacry ransomware, often even providing discordant or misleading information.
So if you want more information about the infection, take a look at the links in the ‘References’ section at the bottom of the article, while now I want to tell you the story of the researcher who unknowingly saved the world from a poor quality ransomware and by the same users that not install the security patches on their systems.
Once executed, the WannaCry ransomware does not infect system immediately: reverse engineers found that the dropper first tries to connect a domain, which was initially unregistered:
If the connection to the above-mentioned domain fails, the dropper proceeds to infect the system and starts encrypting files.
However, if the connection is successful, the dropper does not infect the system with the WannaCry ransomware module: the real purpose of this switch is actually unknown.
Suddenly, an unaware hero comes up to the stage!
A security researcher, tweeting as MalwareTech, registered the strange domain by spending just £10 and accidentally triggering the “kill switch” that can prevent the spread of the WannaCry ransomware, at least for now:
I will confess that I was unaware registering the domain would stop the malware until after i registered it, so initially it was accidental.
Really simple-to-use tools, available to everyone!
In this brief video (3′ 14’’), from O’Reilly website, Chad Russell constructs a simple computer worm using one of the well known tools for malware building, “Internet Worm Maker Thing”.
Internet Worm Maker Thing is a free tool by which wich can make many kinds of malware and worms with the ability of infect victim’s drives, files, shows message, disable anti-virus software and much more.
The VBS script can be compiled into executable in order to elude antivirus.
Frightened? Consider that there are a lot of similar tools, for example:
DelMe Virus Maker
DelMe Virus Maker has more features than Internet Worm Maker Thing and a more simple UX. The generated malware can be saved in VBS format (and after compiled with other tools).
JPS Virus Maker
Similar to previous tools, but with some additional ‘offensive’ features.
And this tools are freely available on internet, with just a simple search on google: any script kiddie (or angry employee) can download one of this application and turn into a threat.
So, update you antivirus/antimalware, always!
Chad Russell is a cyber security veteran of 15 years who has held CISSP, CCNP, MCSE, and MCDBA certifications. Chad has taught Microsoft Engineering courses as a certified trainer, and has acted as a security engineering consultant for companies such as SAP, Microsoft, and Oracle. Currently, Chad conducts security risk assessments for companies throughout North America with an emphasis on cloud security, identity governances, network security, social engineering, mobile security, breach assessments, database security, and access management.