danger Bad Rabbit Ransomware Uses Leaked 'EternalRomance' NSA Exploit to Spread

[hacker7]

Bad Rabbit Ransomware Uses Leaked 'EternalRomance' NSA Exploit to Spread

Thursday, October 26, 2017 

 

 

 

 

A new widespread ransomware worm, known as "Bad Rabbit," that hit over 200 major organisations, primarily in Russia and Ukraine this week leverages a stolen NSA exploit released by the Shadow Brokers this April to spread across victims' networks.

Earlier it was reported that this week's crypto-ransomware outbreak did not use any National Security Agency-developed exploits, neither EternalRomance nor EternalBlue, but a recent report from Cisco's Talos Security Intelligence revealed that the Bad Rabbit ransomware did use EternalRomance exploit.

NotPetya ransomware (also known as ExPetr and Nyetya) that infected tens of thousands of systems back in June also leveraged the EternalRomance exploit, along with another NSA's leaked Windows hacking exploit EternalBlue, which was used in the WannaCry ransomware outbreak.
 

Bad Rabbit Uses EternalRomance SMB RCE Exploit

Bad Rabbit does not use EternalBlue but does leverage EternalRomance RCE exploit to spread across victims' networks.

Microsoft and F-Secure have also confirmed the presence of the exploit in the Bad Rabbit ransomware.

 

EternalRomance is one of many hacking tools allegedly belonged to the NSA's elite hacking team called Equation Group that were leaked by the infamous hacking group calling itself Shadow Brokers in April this year.

EternalRomance is a remote code execution exploit that takes advantage of a flaw (CVE-2017-0145) in Microsoft's Windows Server Message Block (SMB), a protocol for transferring data between connected Windows computers, to bypass security over file-sharing connections, thereby enabling remote code execution on Windows clients and servers.

Along with EternalChampion, EternalBlue, EternalSynergy and other NSA exploits released by the Shadow Brokers, the EternalRomance vulnerability was also patched by Microsoft this March with the release of a security bulletin (MS17-010).

Bad Rabbit was reportedly distributed via drive-by download attacks via compromised Russian media sites, using fake Adobe Flash players installer to lure victims' into install malware unwittingly and demanding 0.05 bitcoin (~ $285) from victims to unlock their systems.
 

How Bad Rabbit Ransomware Spreads In a Network

According to the researchers, Bad Rabbit first scans the internal network for open SMB shares, tries a hardcoded list of commonly used credentials to drop malware, and also uses Mimikatz post-exploitation tool to extract credentials from the affected systems.

Bad Rabbit can also exploit the Windows Management Instrumentation Command-line (WMIC) scripting interface in an attempt to execute code on other Windows systems on the network remotely, noted EndGame.

However, according to Cisco's Talos, Bad Rabbit also carries a code that uses EternalRomance, which allows remote hackers to propagate from an infected computer to other targets more efficiently.
 

"We can be fairly confident that BadRabbit includes an EternalRomance implementation used to overwrite a kernel’s session security context to enable it to launch remote services, while in Nyetya it was used to install the DoublePulsar backdoor," Talos researchers wrote.

"Both actions are possible due to the fact that EternalRomance allows the attacker to read/write arbitrary data into the kernel memory space."

 

Is Same Hacking Group Behind Bad Rabbit and NotPetya?

Since both Bad Rabbit and NotPetya uses the commercial DiskCryptor code to encrypt the victim's hard drive and "wiper" code that could erase hard drives attached to the infected system, the researchers believe it is "highly likely" the attackers behind both the ransomware outbreaks are same.

 

 

"It is highly likely that the same group of hackers was behind BadRabbit ransomware attack on October the 25th, 2017 and the epidemic of the NotPetya virus, which attacked the energy, telecommunications and financial sectors in Ukraine in June 2017," Russian security firm Group IB noted.

"Research revealed that the BadRabbit code was compiled from NotPetya sources. BadRabbit has same functions for computing hashes, network distribution logic and logs removal process, etc."

NotPetya has previously been linked to the Russian hacking group known as BlackEnergy and Sandworm Team, but since Bad Rabbit is primarily targeting Russia as well, not everyone seems convinced with the above assumptions.
 

How to Protect Yourself from Ransomware Attacks?

In order to protect yourself from Bad Rabbit, users are advised to disable WMI service to prevent the malware from spreading over your network.

Also, make sure to update your systems regularly and keep a good and effective anti-virus security suite on your system.

Since most ransomware spread through phishing emails, malicious adverts on websites, and third-party apps and programs, you should always exercise caution before falling for any of these.

Most importantly, to always have a tight grip on your valuable data, keep a good backup routine in place that makes and saves copies of your files to an external storage device that isn't always connected to your PC.

 

Source

[knowledge-Spammer]

and people say Kaspersky  the bad ones

this is the same things Kaspersky  flag but is bad of Kaspersky  for stoping things like this  crazy people

 

NotPetya has previously been linked to the Russian hacking group known as BlackEnergy and Sandworm Team, but since Bad Rabbit is primarily targeting Russia as well, not everyone seems convinced with the above assumptions

 

so now  Kaspersky is stoping there own hackers seems funny  they hackers or not ?

https://www.kaspersky.co.uk/resource-center/threats/blackenergy

NSA exploit  not russia do not make the exploits  usa did

[hacker7]

9 hours ago, knowledge said:

 

NotPetya has previously been linked to the Russian hacking group known as BlackEnergy and Sandworm Team, but since Bad Rabbit is primarily targeting Russia as well, not everyone seems convinced with the above assumptions

 

Is Same Hacking Group Behind Bad Rabbit and NotPetya?

Since both Bad Rabbit and NotPetya uses the commercial DiskCryptor code to encrypt the victim's hard drive and "wiper" code that could erase hard drives attached to the infected system, the researchers believe it is "highly likely" the attackers behind both the ransomware outbreaks are same.

 

Quote

https://www.kaspersky.co.uk/resource-center/threats/blackenergy

Good article but when u read it they make u believe that Kasper is the only solution

 

 

 

[knowledge-Spammer]

Quote

https://www.kaspersky.co.uk/resource-center/threats/blackenergy

Good article but when u read it they make u believe that Kasper is the only solution

 

its not what i mean i mean usa say Kaspersky  used hackers to get nsa files

but y Kaspersky  show  what the so called russian hackers are doing and how ?

so now  Kaspersky is stoping there own hackers  ok if people say so must be right lol

 

but say it was part with NSA Exploit  so nsa again

[hacker7]

Quote

but say it was part with NSA Exploit  so nsa again

 

They only Uses Leaked 'EternalRomance' NSA Exploit to Spread.

And even though it's targeting Russia amogst others but it's hard to believe

 

NSA is smarter then using it's own leaked Eternal to Specially attack Russia.

 

And the Kasper thing already had discussion abt before but still unclear in many ways.

[hacker7]

9 hours ago, 0bin said:

  Reveal hidden contents

 

 

Spoiler

???

 

[hacker7]

It's may be unknown yes! but it's obviously at the same time

[knowledge-Spammer]

this must be the hackers everyone talk about the russian hackers

 

[knowledge-Spammer]

7 minutes ago, 0bin said:

I think that the election wasn't hacked. Instead people made their choice.

Now many people don't like Trump and give responsability to hackers,

is not right

no u is wrong russian hacked it all  and putin  did it all

 

[hacker7]

Quote

no u is wrong russian hacked it all  and putin  did it all

Quote

 

I doubt,

the only interest of Putin is keeping peace, in an already on the war edge world.

Is one of the more rational country leader I know, and would never do that.

 

I don't believe that they hacked the election latterly but for sure they did manipulate the Media.! read abt  ''UK and fb*

[knowledge-Spammer]

if u not like the videos u are died inside  its what best real proof u have putin did it all  he is so good like james bond

[hacker7]

9 hours ago, 0bin said:

The social media manipulate people, you have a right example on this site with the Like button or the Ugly face button or the smile button.

People think good, bad, or be happy or sad because of a face

 

I doubt is Russian, instead I think is inside country job.

Yes there is some truth in ur words cuz the big  head banks wannat trump to win as well but they were not enough !

and there WHERE the RUSSIAN PART of mission CAME IN!

[knowledge-Spammer]

1 minute ago, 0bin said:

If you can proof me that Russian Hackers did it, I will believe you, and you must proof also that they were sponsored actors of Kremlin.

 

I doubt you will be able to proof anything, and I suggest is better avoid dig too much, sometime there is the WhiteRabbit at the end of the tunnel.

Follow the White Rabbit  will take u to good place  for sure

[knowledge-Spammer]

2 minutes ago, 0bin said:

Not sure? Sometime is better mind own business.

 

I think following the white rabbit take me UnderGround, in a specific way.

no following the white rabbit  will take u to the real truth not made up things

[hacker7]

9 hours ago, 0bin said:

the truth only the people who created this climate and their commisioner know.

 

then maybe no need for discussion or news or any thing at !

Maybe we just follow their unknown truth instead .?

 

[hacker7]

9 hours ago, 0bin said:

Use scientific method, and don't trust anyone are the best tools you have. No need to listen anyone.

i don't believe All what i   listen or read!

Quote

Is what I will want, if I create a fake news.

So you are saying all news are fake,?

 

Are u the new Trump in here.?

[straycat19]

Slow down guys, you are filling the XKS drives up with your drivel. 

[hacker7]

9 hours ago, straycat19 said:

Slow down guys, you are filling the XKS drives up with your drivel. 

lol  I believe  they call that passion .

to hell with XKS

[steven36]

Hop on, Average Rabbit: Latest extortionware menace flopped

 

The buck stops… somewhere in Ukraine, Turkey, Japan?

 

As the dust settles from Tuesday’s Bad Rabbit ransomware outbreak, it’s already clear that it is far less severe than the WannaCrypt and NotPetya infections from earlier this year.

 

Bad Rabbit claimed notable victims including the media agency Interfax and was largely contained in Russia and Ukraine, as previously reported.

 

According to ESET, 65 per cent of the victims are in Russia, 12.2 per cent in Ukraine. The nasty also hit some other Eastern European countries as well as Turkey and Japan.

 

Bad Rabbit spread from a network of compromised websites set up by the hackers in preparation for the attack. The dropper, which posed as a Flash Player installer, was downloaded by users when they visited infected websites through a drive-by download (a common hacker tactic). Carrier websites included argumentiru[.]com, which covers current affairs, news and celebrity gossip in Russia and its neighbours, among several others.

 

Bad Rabbit also attempted to spread to other machines on the same network using worm-like functionality.

 

Like NotPetya, Bad Rabbit made use of a custom version of the Mimikatz password recovery tool as well as SMB network shares to spread across machines on the same network.

 

Security experts found that Bad Rabbit did not use EternalBlue – the stolen and leaked NSA-created exploit previously abused by both NotPetya and WannaCry – to spread. Instead it relies on local password dumps, as well as a list of common passwords, in attempts to hop from an infected machine to other Windows PCs.

 

Once executed, the malicious code acted like a traditional ransomware, encrypting files before demanding a ransom to decrypt them – a relatively modest 0.05 BTC (around $280).

 

Infection attempts ceased and attacker infrastructure – both 1dnscontrol[.]com, the dropper delivery site, and sites containing the rogue code – were taken offline around six hours after the ransomware began spreading, according to a count by researchers at Cisco Talos.

 

Since Russia was the origin of the attack, by the time the US had woken up it had already been blocked by signature-based antivirus and identified by products that relied on generic or behaviour-based malware detection.

 

CrowdStrike’s analysis found that Bad Rabbit and NotPetya DLL (Dynamic Link Library) share 67 per cent of the same code, prompting speculation that the same group might be behind both attacks. This attribution is sketchy, at best. Bad Rabbit is similar to NotPetya in that it is also based on the earlier Petya ransomware. Major portions of the code appear to have been rewritten.

 

Recovery of infected machines might be difficult but not impossible. Some experts reason that the intent may have been disruption rather than the profit-making cybercrime associated with ransomware strains such as Locky.

 

“Bad Rabbit appears to be a disruption campaign designed to look like a ransomware campaign, similar to NotPetya and WannaCry,” commented Allan Liska, senior solutions architect at threat intel outfit Recorded Future.

 

Bootnote

 

The hackers behind the ransomware seem to be fans of Game of Thrones as the source code contains references to dragons from the popular TV series (Drogon, Rhaegal and Viserion). The as-yet unidentified crooks also allude to a human character, “GrayWorm”, as the product name for the .exe file.

 

http://gearsofbiz.com/hop-on-average-rabbit-latest-extortionware-menace-flopped/157252

[knowledge-Spammer]

According to ESET, 65 per cent of the victims are in Russia, 12.2 per cent in Ukraine. The nasty also hit some other Eastern European countries as well as Turkey and Japan.

so was  not russia doing this

[hacker7]

Quote

Security experts found that Bad Rabbit did not use EternalBlue – the stolen and leaked NSA-created exploit previously abused by both NotPetya and WannaCry – to spread. Instead it relies on local password dumps, as well as a list of common passwords, in attempts to hop from an infected machine to other Windows PCs.

So the news in first page wasn't correct and NSA exploit had nothing to do with it .?

 

 

Quote

CrowdStrike’s analysis found that Bad Rabbit and NotPetya DLL (Dynamic Link Library) share 67 per cent of the same code, prompting speculation that the same group might be behind both attacks. This attribution is sketchy, at best. Bad Rabbit is similar to NotPetya in that it is also based on the earlier Petya ransomware. Major portions of the code appear to have been rewritten.

And it was indeed the same Russian GROUP 

 

 

Quote

Since Russia was the origin of the attack, by the time the US had woken up it had already been blocked by signature-based antivirus and identified by products that relied on generic or behaviour-based malware detection.

sEEM suspicious this part @steven36

[steven36]

17 minutes ago, hacker7 said:

And it was indeed the same Russian GROUP 

Unless  there is any proof of this it is totally speculation .

 

17 minutes ago, hacker7 said:

sEEM suspicious this part

Same thing happen with wantacry hardly no one in the USA hardly got infected ..  ransomware and malware  outbreaks happen all the time in the USA  most witch are for profit  it just depends  of  were the hacker attacks  1st  were  the most get infected and how fast vendors get the signatures .

 

Stop trying to make malware topics about  politics  and conspiracy theories  there is enough of this in the news already

[knowledge-Spammer]

CrowdStrike’ lies all the time and have proof they lied about russian hacking befor

 

[steven36]

9 minutes ago, knowledge said:

CrowdStrike’ lies all the time and have proof they lied about russian hacking befor

Always security firms try too blame on it somebody.. but in this day in age were  they use TOR and VPNs  they cant never  confirm  these hackers real location   . If they could get there real IP they would stop them. but they hardly  catch any hackers a group like this is just doing this for shits and giggles  too stir up  crap.  the old skool  way and not for profit would try too make people think they from some place they are  not .

[hacker7]

9 hours ago, steven36 said:

Unless  there is any proof of this it is totally speculation .

 

Same thing happen with wantacry hardly no one in the USA hardly got infected ..  ransomware and malware  outbreaks happen all the time in the USA  most witch are for profit  it just depends  of  were the hacker attacks  1st  were  the most get infected and how fast vendors get the signatures .

 

 

 

So if you would or had to speculate.? is it hard to believe that it's the same Russian hacker group attacking their own country and others to?

 

 

Quote

Stop trying to make malware topics about  politics  and conspiracy theories  there is enough of this in the news already