Weekly Privacy Roundup #7

“There’s something really liberating about having some corner of your life that’s yours, that no one gets to see except you. It’s a little like nudity or taking a dump. Everyone gets naked every once in a while. Everyone has to squat on the toilet. There’s nothing shameful, deviant or weird about either of them.” ― Cory Doctorow

Continue…

How to recover files encrypted by BadRabbit ransomware?

Researchers at Kaspersky Lab has discovered that some victims may be able to recover their files without paying any ransom.

 

The discovery was made by that analyzed the encryption functionality implemented by the ransomware: the Bad Rabbit leverages the open source library DiskCryptor in order to encrypt the user files, but uses the same screen to allows victims who have received the decryption key to enter it and boot their system.

Kaspersky’s researchers discovered that after the ransomware create the decryption key, this isn’t wiped from memory.

The symmetric encryption keys are securely generated on the ransomware side which makes attempts to guess the keys unfeasible in practice.

However, we found a flaw in the code of dispci.exe:

the malware doesn’t wipe the generated password from the memory, which means that there is a slim chance to extract it before the dispci.exe process terminates.

Unfortunately, there is only a “slim chance” that victims will be able to extract the password.
However, Bad Rabbit does not delete shadow copies, allowing victims to restore the files through this windows backup functionality:

We have discovered that Bad Rabbit does not delete shadow copies after encrypting the victim’s files. It means that if the shadow copies had been enabled prior to infection and if the full disk encryption did not occur for some reason, then the victim can restore the original versions of the encrypted files by the means of the standard Windows mechanism or 3rd-party utilities.


More information on securelist.com:

Bad Rabbit ransomware

 

A Petya Ransomware variant that uses the eternalblue exploit starts from Ukraine and spreading…

What we know so far?

UPDATE: We have a local vaccine

New ransomware start spreading in Ukraine and shutdown a lot of critical infrastructures (hospitals, airport, banks and power plants).
Some report coming also from Italy, Germany and Spain.

Early comments on VirusTotal indicate the usage of the EternalBlue exploit:

https://virustotal.com/it/file/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745/analysis/

Whe started, the malware clears the windows event log using Wevtutil, writes a message to the raw disk partition and shuts down the machine.

After the restart, the encryption process starts:

And once the encryption is done, the malware display this message:

If you see this text, then your files are no longer accessible, because they have been encrypted. Perhaps you are busy looking for a way to recover your files, but dont waste your time. Nobody can recover your files without our decryption service.

We guarantee that you can recover all your files safely and easily.
All you need to do is submit the payment and purchase the decryption key.

Please follow the instructions:
1. Send $300 worth of Bitcoin to following address: 1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX

2. Send your Bitcoin wallet ID and personal installation key to e-mail [email protected]


How does the ransomware spread?

To capture credentials for spreading, the ransomware uses custom tools, a la Mimikatz. These extract credentials from the lsass.exe process. After extraction, credentials are passed to PsExec tools or WMIC for distribution inside a network.

Other observed infection vectors include:

  • A modified EternalBlue exploit, also used by WannaCry.

  • The EternalRomance exploit — a remote code execution exploit targeting Windows XP to Windows 2008 systems over TCP port 445 (Note: patched with MS17–010).
  • An attack against the update mechanism of a third-party Ukrainian software product called MeDoc.

IMPORTANT: A single infected system on the network possessing administrative credentials is capable of spreading this infection to all the other computers through WMI or PSEXEC.

https://twitter.com/0x09AL/status/879702450038599681

The samples

The samples

Some samples has been submitted to HybridAnalysis:

I have extracted a memory dump of a virtual machine running the ransom screen, maybe it can be useful for some researcher:

http://cdn.andreafortuna.org/NotPetyaMemdump.tar.gz

 

https://www.instagram.com/p/BV4n99RBrJI/


The ransom

Some victims already paid the ransom:

However, the email address on posteo has been blocked:

So, do not pay the ransom!

Furthermore, researchers by Kaspersky has revealed that the pseudo-ransomware is in fact a wiper, with no potential for successfully recovering from an attack:

The key material displayed as “installation ID” — necessary for decryption in real ransomware — is just random data. There is no possible way to recover the encrypted files as the key is not preserved and given to the user to request a decryption key.


From Twitter

 

 

https://twitter.com/0x09AL/status/879702450038599681

 

 

 

 


From websites

 

 

 


Some IOCs

http://https://gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759

FileHash-SHA256

027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745

FileHash-SHA1

34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d

FileHash-SHA256

64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1

FileHash-MD5

71b6a493388e7d0b40c83ce903bc6b04

FilePath

dllhost.dat


Yara Rules

Developed by Florian Roth.

https://gist.github.com/Neo23x0/7ff267390d0670998e9c481c22ab0071


The killswitch?

https://twitter.com/0xAmit/status/879778335286452224

copy NUL C:Windowsperfc.dat

Stay tuned!