openPR Logo
Press release

Bad Rabbit: Another Ransomware getting on the list

10-26-2017 01:03 PM CET | IT, New Media & Software

Press release from: MicroWorld Technologies Inc.

In the recent past, numerous Ransomware has been targeting Europe and using various methods, jumped laterally across the networks and propagated to other countries, effectively breaching all geo-political boundaries.

A new Ransomware dubbed as Bad Rabbit has been rapidly targeting systems across Europe and following the footsteps of WannaCry and NotPetya. However, unlike WannaCry, Bad Rabbit does not use Eternal Blue for spreading laterally, but uses Mimikatz to extract the credentials from memory and tries to access systems within the same network via SMB and WebDAV.

Apart from encrypting the files, it adds the string “encrypted” at the end of the file rather than changing the extension. Changing the file extension is quite prevalent with most of the ransomware.

The primary mode of delivery is via a Fake Flash Player installer and upon execution by the user; it would start encrypting the files and then modify the Master Boot Record, reboot the system and display the Ransomware Note.

eScan actively detects and mitigates this threat. Users should always ensure that they update their computer systems with the patches that are made available by Software Vendors. They should always exercise caution whenever any website presents to you an executable to be downloaded.

Bad Rabbit - Indicators of Compromise (IOC)

Hashes:
File Name: install_flash_player.exe
Hash : 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
Detection: Trojan.GenericKD.6139887

File Name: dispci.exe
Hash : 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93
Detection: Trojan.GenericKD.6139894

Files:
C:Windowsinfpub.dat
C:WindowsSystem32Tasksdrogon
C:WindowsSystem32Tasksrhaegal
C:Windowscscc.dat
C:Windowsdispci.exe

Registry entries:
HKLMSYSTEMCurrentControlSetservicescscc
HKLMSYSTEMCurrentControlSetservicescsccType 1
HKLMSYSTEMCurrentControlSetservicescsccStart 0
HKLMSYSTEMCurrentControlSetservicescsccErrorControl 3
HKLMSYSTEMCurrentControlSetservicescsccImagePath cscc.dat
HKLMSYSTEMCurrentControlSetservicescsccDisplayName Windows Client Side Caching DDriver
HKLMSYSTEMCurrentControlSetservicescsccGroup Filter
HKLMSYSTEMCurrentControlSetservicescsccDependOnService FltMgr
HKLMSYSTEMCurrentControlSetservicescsccWOW64 1

Ransom Note:
Oops! Your files have been encrypted.

If you see this text, your files are no longer accessible.
You might have been looking for a way to recover your files.
Don't waste your time. No one will be able to recover them without our decryption service.

We guarantee that you can recover all your files safely. All you need to do is submit the payment and get the decryption password.

Visit our web service at caforssztxqzf2nm.onion

Your personal installation key#1:

Network Activity:
Local & Remote SMB Traffic on ports 137, 139, 445
caforssztxqzf2nm.onion

Files extensions targeted for encryption:
.3ds .7z .accdb .ai .asm .asp .aspx .avhd .back .bak .bmp .brw .c .cab .cc .cer .cfg .conf .cpp .crt .cs .ctl .cxx .dbf .der .dib .disk .djvu .doc .docx .dwg .eml .fdb .gz .h .hdd .hpp .hxx .iso .java .jfif .jpe .jpeg .jpg .js .kdbx .key .mail .mdb .msg .nrg .odc .odf .odg .odi .odm .odp .ods .odt .ora .ost .ova .ovf .p12 .p7b .p7c .pdf .pem .pfx .php .pmf .png .ppt .pptx .ps1 .pst .pvi .py .pyc .pyw .qcow .qcow2 .rar .rb .rtf .scm .sln .sql .tar .tib .tif .tiff .vb .vbox .vbs .vcb .vdi .vfd .vhd .vhdx .vmc .vmdk .vmsd .vmtm .vmx .vsdx .vsv .work .xls .xlsx .xml .xvd .zip

Embedded RSA-2048 Key:
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5clDuVFr5sQxZ+feQlVvZcEK0k4uCSF5SkOkF9A3tR6O/xAt89PVhowvu2TfBTRsnBs83hcFH8hjG2V5F5DxXFoSxpTqVsR4lOm5KB2S8ap4TinGGNSVNBFwllpRhVvRWNmKgKIdROvkHxyALuJyUuCZlIoaJ5tB0YkATEHEyRsLcntZYsdwH1P+NmXiNg2MH5lZ9bEOk7YTMfwVKNqtHaX0LJOyAkx4NR0DPOFLDQONW9OOhZSkRx3V7PC3Q29HHhyiKVCPJsOW1l1mNtwL7KX+7kfNe0CefByEWfSBt1tbkvjdeP2xBnPjb3GE1GA/oGcGjrXc6wV8WKsfYQIDAQAB

Prevention Measures:
• Administrators should block all executable files from being transmitted via emails.
• Administrators should isolate the affected system in the Network.
• Administrator can restore the encrypted files from the backup or from system restore point (if enabled) for affected systems.
• Install and Configure eScan with all security modules active:
* eScan Real Time Monitoring
* eScan Proactive protection
* eScan Firewall IDS/IPS Intrusion prevention
• Users shouldn’t enable macros in documents.
• Organizations should deploy and maintain a backup solution.
• Most important, organizations should implement MailScan at the Gateway Level for mail servers, to contain the spread of suspicious attachments.

eScan is an ISO (27001) certified pure play enterprise security solution company with over 2 decades of expertise in developing IT security solutions. eScan today has a presence in 12 countries through its offices and subsidiaries. It also boasts of a robust channel partner network of more than 50, 000 partners spread across 190 countries worldwide. It is trusted by more than 6,500 enterprise and corporate users spread across various industry segments such as Government, BFSI, Education, Defense, Telecom, IT & ITeS, Infrastructure, Hospitality, and Healthcare worldwide.

It is powered by some of the latest and innovative technologies, such as Proactive Behavioral Analysis Engine (PBAE) Technology, MicroWorld Winsock Layer (MWL) Technology, Domain & IP Reputation Check (DIRC) Technology, Non-Intrusive Learning Pattern (NILP) Technology, and sophisticated Anti-Virus Heuristic Algorithms that not only provide protection from current threats, but also provides proactive protection against the ever-evolving cyber threats. eScan provides 24x7 free remote support facility to help its esteemed users to provide real-time solutions for security related issues.

For more information, visit www.escanav.com

39555 Orchard Hill Place Suite 600
Novi, MI 48375

This release was published on openPR.

Permanent link to this press release:

Copy
Please set a link in the press area of your homepage to this press release on openPR. openPR disclaims liability for any content contained in this release.

You can edit or delete your press release Bad Rabbit: Another Ransomware getting on the list here

News-ID: 787441 • Views: 614

More Releases from MicroWorld Technologies Inc.

MicroWorld to launch Nemasis at the 39th Gitex Technology week
Leading cyber security giant, Microworld have announced the unveiling of their new cyber security solution, Nemasis (VAPT) at the 39th edition of Gitex Technology week, which is to be held at the World Trade Center in Dubai from the 6th to the 10th of October 2019. MicroWorld along with its seniority team can be located at the SR F1 booth at the Sheik Rashid Hall. Nemasis is a vulnerability management
eScan delights its channel partners with a trip to Pattaya
eScan, one of the leading anti-virus solution developers had launched an offer to reward its channel partners with 2 nights and 3 days trip to Pattaya. The offer was launched exclusively for Southern region and about 70 partners from the region had been to the destination. The 2 Nights/3 Days luxury outing to Pattaya was packed with tranquil sightseeing that included a visit to Coral Island that offers plenty of water
eScan products receive 100% clean certificate from Softpedia
eScan’s Internet Security Suite (ISS) for Windows and eScan’s Anti-Virus (AV) have received the coveted 100% clean certificate from Softpedia among its peers. The tests were conducted on both products in the Softpedia labs in April 2018. The results showed that eScan’s ISS for Windows and eScan’s AV do not contain any form of malware, including but not limited to: spyware, viruses, trojans and backdoors. These products were tested thoroughly
eScan’s ISS for Windows achieves VB 100 Test Certificate
eScan has successfully cleared Virus Bulletin’s VB100’s comparative review test for its eScan Internet Security Suite (ISS) for Windows. The test, in February 2018, was conducted on Windows 7 and 10 Professional. eScan Internet Security Suite proved its capability of providing advanced protection against malware listed by WildList Organization with the RAP score of 92.1% and Zero False Positives. Virus Bulletin is a world-renowned independent testing and certification body, in

All 4 Releases