Can Your Organization Survive a Cyberattack that Permanently Destroys Data?

Financial gain, either short-term or long-term, is often the motive of most cyber criminals. Some cyber criminals, however, aren’t after financial gain, but rather, they’re simply out to cause as much damage as possible.

The recent cyberattack at email service provider VFEmail shows an unconventional motive of simple destruction. Milwaukee-based VFEmail, founded in 2001, provides email service to businesses and individuals.

The first hints of the cyberattack on VFEmail came out last February 11, when the company’s Twitteraccount issued a series of tweets about the attack, starting with a tweet that said, “This is not looking good. All externally facing systems, of differing OS's and remote authentication, in multiple data centers are down.”

By 5 PM on February 11, the company declared on its website, “We have suffered catastrophic destruction at the hands of a hacker.” The company added that the attacker destroyed nearly two decades' worth of emails of all data in the US, both primary and backup systems.

The company further said that the attacker hasn’t asked for ransom. “Just attack and destroy," the company said. When asked about the identity of the attacker, VFEmail owner Rick Romero tweetedit could be "someone who had data they didn't want found or I really pissed off."

This recent cyber incident isn’t the first time that cyber criminals have targeted VFEmail. In a blog postdated November 4, 2015, Romero shared that a group of hackers threatened to launch a distributed denial-of-service (DDoS) on his email service if he doesn’t pay 5 Bitcoins.

True enough, after refusing to pay the ransom, VFEmail’s email service was disrupted by a DDoS attack prompting Romero to expose the group's extortion campaign. In 2017, the company’s email service was once again disrupted by a series of DDoS attacks, prompting the company to change to a new hosting provider. In 2018, the company’s email service was once again disrupted by a DDoS attack.

It isn’t clear what actually caused the latest cyberattack on VFEmail. What’s clear though is that the company’s nearly two decades' worth of emails of all data in the US, both primary and backup systems, are lost forever. 

Other Cases of Disruptive Cyberattacks

WannaCry and NotPetya

WannaCry and NotPetya are two examples of cyberattacks that were meant mainly to destroy. At the height of WannaCry attack on May 12, 2017, an estimated 300,000 computers in 150 countries were infected by WannaCry malicious software (malware). Six weeks after the WannaCry attack, NotPetya malware was launched although it didn’t have as much impact as WannaCry.

Both WannaCry and NotPetya exhibit the characteristics of a ransomware, a type of malware that’s designed to deny legitimate users access to computer files by encrypting these files. Similar to other ransomware, WannaCry and NotPetya attackers also demanded ransom from their victims, assuring them that once ransom is paid, the decryption key that would unlock the encrypted files would be given.

While exhibiting the characteristics of a ransomware, both WannaCry and NotPetya were later found to be wipers – malware whose sole purpose was to destroy. Both WannaCry and NotPetya are considered as wipers, not ransomware, as despite paying ransom to the attackers, the attackers wouldn’t be able to give the correct decryption key as they themselves have no way of determining who paid the ransom and who didn’t. 

Shamoon

Shamoon is another malware whose main purpose is destruction. In December 2018, Italian oil services firm Saipemreported that its servers based in the Middle East, India, Aberdeen and, in a limited way, Italy were infected by a variant of Shamoon malware. As typical effects of the Shamoon malware, Saipem said in a statement, the infection resulted in the "cancellation of data and infrastructures." Days after the statement, the company’s head of digital and innovation, Mauro Piasere, told Reutersthat the attack crippled between 300 and 400 servers and up to 100 personal computers out of a total of about 4,000 Saipem machines.

According to Symantec, the latest version of Shamoon is far more destructive than the original Shamoon as the latest version has a new, second piece of wiping malware called “Trojan.Filerase,” a malware that deletes and overwrites files on the infected computer; while the original Shamoon malware itself erases the master boot record of the computer, rendering the computer unusable.

Because of the Filerase malware in the latest Shamoon version, Symantec said, recovery becomes impossible, compared to the older version of Shamoon in which the “files on the hard disk may be forensically recoverable.”

Prevention

Here are some cybersecurity best practices in order to help prevent or minimize the effects of destructive cyberattacks – attacks that are meant to destroy:

Keep All Software Up-to-Date

Installing the latest patch or security update in a timely manner is one of the ways to keep destructive attacks at bay. Patches or security updates fix known security vulnerabilities that are likely to be exploited by cyber criminals.

Back-up Important Data

Similar to safeguarding your organization’s data from natural disasters, including fire and flood, having a back-up of important data will enable your organization to bounce back from a debilitating destructive cyberattack.

Practice Network Segmentation

It’s also important to practice network segmentation – the process of dividing your organization’s network into subnetworks. Network segmentation ensures that in case an attacker is able to infiltrate one of your organization’s network, the other networks won’t be affected.

Hard Lessons from a Ransomware Attack

A regional county municipality in the province of Quebec, Canada has learned the hard lessons about cybersecurity after it suffered a paralyzing ransomware attack.

Bernard Thompson, reeve of Mekinac regional county municipality, told The Canadian Pressthat the ransomware attack that paralyzed the municipality’s servers gave the municipality hard lessons in cybersecurity. “In the end, in terms of the security of our system, [the ransomware attack] was actually positive,” Thompson said.

The cyberattack against Mekinac's servers highlights the importance of protecting your organization's servers against ransomware attacks.

How the Mekinac Cyberattack Unfolded

The Canadian Press reported that on September 10, this year, municipal employees, upon returning to work after a weekend break, found a ransomware notice on their working computers, informing them that their files are locked. The ransomware notices also specified that in order to unlock the files, a total of 8 Bitcoins, then equivalent to $65,000, must be paid to the attackers.

The municipality’s servers were disabled for nearly 2 weeks as a result of the ransomware attack. The attack ended when the municipality negotiated and paid $30,000-worth of Bitcoin as ransom payment to unlock the locked files.

“It was hard, clearly, on the moral side of things that we had to pay a bunch of bandits,” Thompson said. He said this was the road that the municipality took as choosing the other way could mean months of data re-entry, costing significantly more than $30,000.

Mekinac’s ransomware attackers are still unidentified and their location not determined to date.

What is a Ransomware Attack?

Ransomware is a malicious software (malware) that encrypts files. Encryption is traditionally used to prevent data theft. In encryption, plaintext or any other form of data is converted from a readable format into an encoded version – a format that can only be readable if one has access to a decryption key.

In a ransomware attack, attackers convert the victim’s data from a readable format into an encoded version and demand from the victim ransom payment in exchange for the decryption key.

Ransomware infects computers or servers in many ways. Here are some of the ways that ransomware infects computers or servers:

1. Email-Based Attack

In the case of the Mekinac ransomware attack, the municipality’s servers were infected by a ransomware after an employee opened and clicked on a link in a malicious email sent by the attackers. It wasn’t specified, however, what particular ransomware hit the Mekinac’s servers.

The ransomware called “Locky” is an example of a ransomware that’s spread via email spam campaigns. This ransomware arrives in a victim’s computer through a Microsoft Office email attachment that evades antispam filters and tricks the user to open the attachment. Once this malicious attachment is clicked, Locky encrypts computer files and then demands the victim to pay a ransom to unlock the encrypted or locked files.

2. Drive-By Attack

Drive-by attack is another way by which attackers infect computers or servers. Bad rabbit ransomware is an example of a ransomware that’s distributed via drive-by attacks.

In a drive-by attack, attackers insert a malicious code, in this case, a ransomware, into an insecure website. Once a user visits this compromised site, the malware may either directly download to the visitor’s computer or the visitor is redirected to another website controlled by the attackers and from there the malware is downloaded to the victim’s computer.

3. Unpatched Servers

The ransomware called “SamSam” is an example of a ransomware that infects servers when they’re in an unpatched state. An unpatched server is one that isn’t updated despite the availability of a security update.

Researchers at Cisco Talos, in a blog post, wrote, “Adversaries are exploiting known vulnerabilities in unpatched JBoss servers before installing a web shell, identifying further network connected systems, and installing SamSam ransomware to encrypt files on these devices.”

Lessons from Ransomware Attacks

Thompson, reeve of Mekinac regional county municipality, said that the ransomware attack on Mekinac’s servers taught the municipality to encrypt everything and to analyze every email. “Everything is encrypted now,” Thompson said. “Every email is analyzed before we even receive it. Every day, our system catches malicious emails trying to penetrate – but they are stopped. But the attacks keep coming.” 

In addition to encryption and email scanning, here are additional best practices in order to protect your organization’s servers from ransomware attacks:

Back Up Important Files

Back up files that are stored in safe storages that aren’t connected to your organization’s servers give your organization assurance that if anything happens with the servers, for instance, a ransomware attack, your organization will still have other copies of the important files. This eliminates the pressure of paying ransom to attackers for the decryption key to unlock the locked files.

Keep All Software Up-To-Date

Make sure that all your organization’s software, specifically the server operating system, are up-to-date. Every security update or patch issued by software vendors contains fixes of security vulnerabilities that cybercriminals are quick to exploit.

Implement Domain Whitelisting

Whitelisting certain domains won’t prevent drive-by download attacks, but it’ll prevent secondary malicious websites from loading.

Limit the Number of Users with Administrator Privileges

A computer user with administrator privileges can install and uninstall software and change configuration settings. Limiting this privilege to a limited number of personnel limits the exposure of your organization’s servers to drive-by attacks.

When your organization needs help, our experts are a phone call away. Contact ustoday to prevent ransomware attacks.

Difference Between Malware Outbreak and Ransomware Attack

Are malware outbreak and ransomware attack the same or are they totally different?

The Canadian restaurant chain Recipe Unlimited prefers using the phrase “malware outbreak” over the phrase “ransomware attack”. In a statementissued last October 1, Recipe Unlimited said that it has been experiencing a partial network outage as a result of a “malware outbreak” since September 28, this year. The company didn’t go into details what type of malicious software (malware) infected its IT system.

Recipe Unlimited, formerly Cara Operations, franchises and/or operates more than 1,000 restaurants across Canada, including Swiss Chalet, Montana's, East Side Mario's, Harvey's, St-Hubert, The Keg, Milestones, Kelseys Original Roadhouse, New York Fries, Prime Pubs, Bier Markt, Landing, Original Joe's, State & Main, Elephant & Castle, The Burger's Priest, The Pickle Barrel and 1909 Taverne Moderne.

To prevent further spread of the malware, Recipe Unlimited said it took precautionary measures such as taking a number of systems offline and suspending internet access to affected locations. These precautionary measures resulted in the temporary closure of some of Recipe Unlimited’s restaurants, while those open can only accept cash.

CBC, on the other hand, got hold of a screencap of the ransom note that appeared on the computer compromised by attackers in the Recipe Unlimited’s attack.

The ransom note states, “As soon as we get bitcoins you’ll get all your decrypted data back.” Regarding the actual ransom amount, the ransom note states, “Every day of delay will cost you additional +0.5 BTC [Bitcoin]”. As of October 4, 2018, the price of one Bitcoin hovers around $6,500. The ransom note also states that aside from decrypting all the encrypted data, the company will also "get instructions how to close the hole in security and how to avoid such problems in the future".

When contacted by CBC, the spokesperson of Recipe Unlimited denies that the company’s data is being held for ransom by attackers. "We maintain appropriate system and data security measures," Recipe Unlimited spokesperson told CBC. The spokesperson also told CBC that the ransom note is a "generic" statement associated with the malware called “Ryuk”. In its earlier statement, Recipe Unlimited said it conducts "regular system back-ups to enable us to restore impacted systems”.

What Is Ryuk?

Ryuk is categorized as a ransomware – a malware that encrypts or locks files in hundreds of computers in each infected company and asks for a ransom payment in exchange for the decryption key to unlock the locked files. This ransomware targets organizations that are capable of paying a lot of money.

Some of the victims paid exceptionally large ransom in order to retrieve their files. Back in August this year, Check Point researchers reported that Ryuk attackers earned over $640,000 from ransom payments paid in varying amount (ranging between 15 BTC to 50 BTC) from victims worldwide.

According to Check Point, the source code of Ryuk closely resembles the source code of another ransomware called “HERMES” – the malware used in the attack against the Far Eastern International Bank (FEIB) in Taiwan. In the FEIB attack, $60 million was stolen in a sophisticated SWIFT attack, though this amount was later retrieved.

The difference between HERMES ransomware and Ryuk ransomware, Check Point said, is that while HERMES ransomware was delivered to FEIB’s network as a diversion, Ryuk ransomware is "by no means just a side-show but rather the main act".

What Is a Malware Outbreak?

Malware outbreak refers to a large-scale malware attack that causes widespread damage and disruption to an organization and necessitates extensive recovery time and effort. Ryuk ransomware’s impact on its victims amounts to a malware outbreak.

Preventive Measures

Here are some measures in preventing a malware outbreak or ransomware attack, as well as some of the security best practices in handling such outbreak or attack:

Keep All Software Up-to-Date

Keep all your organization’s software up-to-date as cyberattackers are known to infiltrate networks using known software security vulnerabilities that are already patched by software vendors.

Practice Network Segmentation

Network segmentation refers to the practice of dividing a computer network into subnetworks. One of the advantages of network segmentation is that in case one subnetwork is infected by a malware, the other subnetworks won’t be infected.

Contain the Outbreak

It’s important to contain the outbreak. Many ransomware programs have a worm capability. This means that the ransomware has the ability to spread itself within networks without user interaction.

One of the effective means of containing the outbreak is by quickly disconnecting infected systems from the overall network infrastructure. Physically disconnecting network cables and applying access controls on network devices are examples of disabling connectivity. One of the side-effects of containment is that this will affect the operation of other non-infected systems in the network.

Full Malware Eradication Process

Containment only stops the spread of the malware. The fact that the malware is still inside your organization’s IT system is a security risk. Full eradication process is necessary in parallel with the containment process.

Backup Critical Files 

Make sure to conduct regular backups of critical files so that when an outbreak or cyberattack happens, your organization can get back up again by restoring the impacted systems. Backups also ensure that attackers won’t have a leverage in your organization’s impacted systems as backups can easily be restored, rendering the attackers’ demand for ransom futile.

When you need help, contactour cybersecurity experts and protect your data.

U.S. Justice Dept. Charges Alleged Member of Lazarus Group Over WannaCry Cyberattack

The U.S. Justice Department has formally charged a North Korean national, believed to be a member of the notorious hacking group known as “Lazarus” over WannaCry cyberattack and two other high-profile attacks, the Sony Pictures cyberattack and the cyberheist at the Bangladesh Bank.

The Justice Department filed a criminal complaintlast June 8, 2018 against North Korean national Park Jin Hyok for WannaCry, Sony and Bangladesh Bank cyberattacks. This criminal complaint though wasn’t made public when it was filed. It was only made public during the recent announcement by the Justice Department.

The WannaCry, Sony and Bangladesh Bank cyberattacks are among the notorious cyberattacks in recent years. On May 12, 2017, WannaCry cyberattack shook the online world after it locked down more than 300,000 computers in over 150 countries in less than 24 hours and demanded ransom payment from victims.

The Sony Pictures cyberattack in November 2014 stunned the company after thousands of its computers were rendered inoperable and unreleased movie scripts and other confidential information were made public.

The cyberheist at the Bangladesh Bank shook the financial sector in February 2016, after the fraudulent transfer of $81 million from the bank. To date, this $81-million fraudulent bank transfer is the largest successful cybertheft from a financial institution.

The criminal complaint, specifically filed by Federal Bureau of Investigation (FBI) Special Agent Nathan Shields, stated that there’s sufficient evidence that shows Park was a member of the conspiracies that resulted to the WannaCry, Sony, Bangladesh Bank successful intrusions as well as attempted intrusions, including the attempted intrusion at the U.S. defense contractor Lockheed Martin.

Shields said that Park, a computer programmer, used to work at a China-based company Chosun Expo. This company, Shields said, is a "North Korean government front company for a North Korean hacking organization”.

Cybersecurity organizations like Symantec, BAE Systems and Kaspersky Lab have called this North Korean hacking organization as “Lazarus”.

"While some of these computer intrusions or attempted intrusions occurred months or years apart, and affected a wide range of individuals and businesses, they share certain connections and signatures, showing that they were perpetrated by the same group of individuals (the subjects),” Shields said.

Shields said that there are numerous connections between Park, his true-name email and social media accounts, and the operational accounts used by the Lazarus group to conduct the successful intrusions and attempted intrusions.

Lazarus Group

According to Shields, the strongest link between the Lazarus group and the successful intrusions in WannaCry, Sony and Bangladesh Bank, and the attempted intrusion in Lockheed Martin is the FakeTLS table.

Shields said the FakeTLS table was found in WannaCry Version 0. It was also found in all three samples of Macktruck malware found at Sony attack, the Macktruck malware found in a spear-phishing document used in the attempted intrusion at Lockheed Martin, and the Nestegg malware found at Bangladesh Bank cyberheist.

TLS, short for Transport Layer Security, refers to a cryptographic protocol that’s used to increase the security of communications between computers. The “FakeTLS”, meanwhile, refers to a protocol that mimics authentic encrypted TLS traffic, but actually uses a different encryption method. By utilizing “fake” TLS, Shields said, attackers can carry on communications without tripping security alerts as many intrusion detection systems “ignore the traffic because they assume the contents cannot be decrypted and that the traffic is a common communication protocol”.

Shields added that the following technical similarities connect the malware used in WannaCry, Sony, Bangladesh Bank and Lockheed Martin:

• Common elements or functionality of the malware that was used
• Common encryption keys used to decrypt resources associated with the malware
• Domains programmed into the malware were under the common control of a single computer or group of computers

Kaspersky Lab, for its part, said Lazarus is operating a malware factory that produces new samples via multiple independent conveyors. “The scale of the Lazarus operations is shocking,” Kaspersky Lab said.

Kaspersky Lab also agrees that Lazarus group was responsible for the WannaCry, Sony and Bangladesh Bank attacks.

According to Kaspersky Lab, from December 2015 to March 2017, its researchers collected malware samples relating to Lazarus group activity which appeared in financial institutions, casinos, software developers for investment companies and cryptocurrency businesses. Kaspersky Lab researchers found that although the Lazarus group was careful enough to wipe any traces of their illegal activities, one server that the group breached contained a serious mistake with an important evidence left behind.

The compromised server, Kaspersky Lab said, was used as a command and control center for a malware. While the group tested the compromised server using VPN/proxy servers to conceal their true IP address, the group committed one mistake as one connection came from a very rare IP address range in North Korea, Kaspersky Lab said.

Symantec, for its part, said there’s a strong link between Lazarus and WannaCry, Sony and Bangladesh Bank attacks.

According to Symantec, evidence gathered from an early version of WannaCry malware found three other malware: Trojan.Volgmer and two variants of Backdoor.Destover – software programs that were used as disk-wiping tools used in the Sony attack. Symantec added that WannaCry shares a code with Backdoor.Contopee – a malware used by the Lazarus group in intrusions at banks.

Prevention

The attack methods of Lazarus group keep on evolving. One form of cyberdefense, therefore, isn’t enough to counter these attacks. Here are some of the attack methods used by the Lazarus group and corresponding preventive measures:

1. Exercise Caution in Clicking Links

One of the intrusion methods used by Lazarus is via spear-phishing email. According to the FBI, the group made an exact copy of a legitimate Facebook email but the hyperlinked text “Log In” that supposedly lead to the official Facebook page instead goes to a URL controlled by the group and directed victims to a malware.

2. Exercise Caution in Visiting Websites

One of the intrusion methods used by Lazarus, according to Kaspersky Lab, is by hacking government websites through known security vulnerabilities. When a target visits said compromised government website, the target’s computer then becomes infected.

3. Keep All Software Up-to-Date

The simple reason that the Lazarus group was successful in its WannaCry attack is that many have failed to update their Windows operating system. WannaCry Version 2, the one that hit worldwide on May 12, 2017, compromised Windows operating systems that fail to install Microsoft’s March 14, 2017 security update and older versions of Windows that were no longer supported, including Windows XP, Windows 8, and Windows Server 2003.

How to Avoid Being a Victim of Email-Based Ransomware

The latest version of the ransomware called “GandCrab” is an example of how cyber attackers bait their ransomware victims through email spam campaign.

Last month, security researchers at Fortinet observed a surge in an email spam campaign delivering the latest version of GandCrab ransomware.

GandCrab ransomware is a malicious software (malware) that encrypts files on the compromised computers, locks out users and demands a payment to decrypt or unlock the files.

How Ransomware Victims Are Baited via Email Spam Campaign

The latest version of GandCrab ransomware works by employing spam emails. While these spam emails don’t target specific individuals, it targets specific countries as emails in the US are the primary recipients of this spam campaign, followed by emails in the UK and emails in Canada.

Receivers of these spam emails are tricked into opening these malicious emails as the attackers use these subjects commonly used by people working in an organization:

• Document # (Numbers)
• Invoice # (Numbers)
• Order # (Numbers)
• Payment # (Numbers)
• Payment Invoice # (Numbers)
• Ticket # (Numbers)
• Your Document # (Numbers)
• Your Order #(Numbers)
• Your Ticket # (Numbers)

The spam emails all contain a Javascript attachment with the filename format DOC (Numbers).zip. When this attachment is opened, it downloads the latest version of Gandcrab ransomware from a malicious website.

Once the malware is downloaded to a compromised computer, all the files in the computer are then encrypted, preventing the user to access the files and a ransom note is posted on the computer screen.

This ransom note directs the user to a site using the TOR browser – a browser designed to protect privacy and anonymity. Once accessed, this site tells the victim that files on the compromised computer have been encrypted. The victim is asked to pay USD 800 within a certain period. If payment isn't done within the allowed period, the cost of decrypting the files is doubled.

GandCrab Ransomware Earlier Versions

The first version of GandCrab ransomware first appeared in the wild on January 30, 2018.

This early version of GandCrab ransomware was distributed as well via spam emails purporting to be invoices. The early version of GandCrab ransomware was also distributed via malicious advertisements (malvertisements) linked to malicious websites where the downloading of the GandCrab ransomware is then initiated.

Similar to the latest version of GandCrab, the first version spread into the wild and encrypts the files on the compromised computer. Instead of asking ransom payment in the form of US dollars, the first version of GandCrab asks for a ransom payment in the form of Dash cryptocurrency – the first time this cryptocurrency has been used in a ransomware campaign. In the past, ransomware attackers preferred cryptocurrencies Bitcoin and Monero as ransom payment.

According to Europol, European Union’s law enforcement agency, GandCrab ransomware is run as an affiliate program or ransomware-as-a-service. Anyone who wants to join the GandCrab affiliate program pays 30% to 40% of the ransom revenues to its creator and in return gets a full-featured web panel and technical support.

According to Check Point, as of March 13, 2018, GandCrab has infected over 50,000 computer systems and received an equivalent of USD 300,000 to USD 600,000 in ransom payments.

A tool to decrypt files encrypted by GandCrab (version 1)was developed by a combined effort of the Romanian authorities, Bitdefender and Europol and made available to the public for free.

According to Check Point, the decryptor tool wasn’t a result of a cryptographic breakthrough. It was, however, borne out of the law enforcement arm’s access to the ransomware’s master server, enabling the law enforcement arm to recover all private keys that had been used to perform the encryption made by GandCrab (version 1), evident with the decryptor tool’s dependence on an available victim ID.

Developers of GandCrab, however, regular modify the ransomware, making the decryption tool developed by the Romanian authorities, Bitdefender and Europol useless as it won't bring the files back.

Paying the ransom for the latest version of GandCrab is, therefore, not advisable as this doesn’t guarantee that the attackers have the capability or any intention to decrypt files.

Social Engineering Feature of GandCrab Ransomware

As can be gleaned from the different versions of GandCrab ransomware, social engineering is employed.

Social engineering cyberattack happens when an attacker uses a typical form of human interaction to obtain information about an organization or to compromise the organization’s computer systems.

Today’s human interaction now involves technology. Many human interactions now happen via email exchanges – a form of online communication that withstands even with the advent of new forms of communications like instant messaging, social networking and online chat.

GandCrab isn't the only ransomware that relies on spam emails for its distribution. Other notorious ransomware like Spora and Locky are also distributed through spam emails. For instance, on August 28th last year, in just a matter of 24 hours, over 23 million spam emails were sent carrying the Locky ransomware.

Interesting to note that these 3 ransomware GandCrab, Spora and Locky tricked their victims into opening email attachments laden with ransomware by using the subject “Invoice”.

Prevention

Here are some of the best practices on how to avoid being a victim of email-based ransomware like GandCrab:

• Train employees to be vigilant in opening email attachments. Unsolicited emails and their attachments should never be opened. Only open email attachments from trusted email sender.
• Configure your email server to block email that contains file attachments that are commonly used to spread malware such as .vbs, .bat, .exe, .pif and .scr files.
• Use antispam and antivirus services to block spam emails.
• Use web filtering service that blocks malicious websites from downloading malicious software.
• All downloaded software must be scanned for viruses.
• Always keep all your software up-to-date.
• Disable AutoPlay to block the automatic launching of executable files on network and removable drives.

Bad Rabbit Ransomware, New variant of NotPetya, Is Spreading

Bad Rabbit ransomware, a new variant of NotPetya, is spreading across Eastern Europe and other parts of the world.

According to the Russian News Agency TASS, Bad Rabbit ransomware attacked the Russian mass media and Ukraine’s airport and subway. Symantec reported that Bad Rabbit primarily attacked Russia (86%), followed by Japan (3%) Bulgaria (2%), Ukraine (1%), US (1%) and all other countries (7%).

NotPetya versus Bad Rabbit

NotPetya is a malicious software (malware) that was released into the wild in June of this year. It wreaked havoc to thousands of computers worldwide, including Belgium, Brazil, Germany, Russia and the US. Merck, Nuance Communications, FedEx are some of the victims of NotPetya.

Similar to NotPetya, users of computers infected by Bad Rabbit received a notice that their files are encrypted. Both malware have the same style of ransom note, suggesting to victims to pay certain amount to get access to files. Both are worms, which mean that they’ve the ability to self-propagate – self-reproduce by infecting other computers in the network.

One stark difference between NotPetya and Bad Rabbit is the use of self-propagation tools. While NotPetya self-propagates using EternalBlue and EternalRomance, Bad Rabbit self-propagates by only using EternalRomance.

EternalBlue and EternalRomance are just two of the many exploits released in April of this year by the group called “Shadow Brokers”. The group claimed that EternalBlue, EternalRomance and the other hacking tools they’ve released were used by the National Security Agency (NSA) in exploiting the vulnerabilities in Windows operating system. According to Microsoft, it released a security update or patch dated March 17, 2017, fixing the vulnerabilities exposed by Shadow Brokers.

The second difference between NotPetya and Bad Rabbit is that NotPetya is a “wiper” rather than a ransomware. A wiper’s aim is to wipe out or delete all computer files for good, while ransomware’s aim is to generate money from victims. None of the victims of NotPetya were able to unlock their encrypted files. According to Symantec, its analysis of Bad Rabbit confirms that it’s not a wiper as the encrypted files can be recovered if the key is known.

How Bad Rabbit Works

Bad Rabbit infects victims’ computers in the following manner:

• Use of Watering Holes

The first contact of victims of Bad Rabbit is via watering holes – legitimate websites that are altered by cybercriminals. Bad Rabbit compromised many popular websites in the affected countries.

According to researchers at ESET – the first who observed Bad Rabbit’s campaign last October 24th, some compromised sites have JavaScript injected in their HTML body or in one of their .js file.

• Social Engineering

Once a victim visits one of these compromised sites, Bad Rabbit malware is dropped or downloaded into the victim's computer as a fake software update to Adobe Flash Player.

Bad Rabbit malware masquerading as an update to Flash Player enters the victim’s computer by employing social engineering – convincing the victim that there’s a need to update his or her Flash Player. In the middle of the computer screen, a popup shows up asking the user to download an update for Flash Player.

• Use of Open-Source Tools

Once the fake Adobe Flash Player "Install" button is clicked, the Bad Rabbit malware drops five open-sourced tools described below into the victim’s computer. According to Symantec, the download originates from a particular domain. It’s possible though that victims may have been redirected there from another compromised sites, Symantec said.

1. Mimikatz

Mimikatz is an open-sourced tool used for changing privileges and recovering Windows passwords in plaintext.

2. Default Passwords

In addition to Mimikatz, Bad Rabbit also uses a hardcoded list of commonly used default passwords in attempting to guess Windows passwords.

3. ReactOS

ReactOS is an open-sourced tool that’s used as an alternative to Windows operating system. The use of ReactOS, according to Symantec, reduces the amount of detectable suspicious activity on an infected computer.

4. DiskCryptor

DiskCryptor is an open-sourced tool that’s used to perform encryption. After individual files in the victim’s computer are encrypted, Bad Rabbit will then conduct a full disk encryption. Once the system is restarted, a ransom note is displayed, demanding a ransom amounting to 0.05 Bitcoin (US$280).

5. EternalRomance

Bad Rabbit spreads to other vulnerable computers in the network by using EternalRomance, an exploit that bypasses security over Server Message Block (SMB) – referred to as the transport protocol used by computers using Windows operating system for a variety of purposes, including file sharing, printer sharing and access to remote Windows services.

According to researchers at RiskIQ, long before the distribution of Bad Rabbit ransomware last October 24th, cyber attackers have already compromised the affected websites used as watering holes. The researchers said that they “can track the distribution vector back to early 2016 showing that victims were compromised long before the ransomware struck.”

"The thing we do not understand at this point is why they decided to burn this information position to mass distribute the Bad Rabbit ransomware rather than save it for another type of malware," RiskIQ researchers said.

How to Prevent Bad Rabbit Attacks

1. Use strong password

As Bad Rabbit uses factory or default passwords, it’s important to protect your computer with a strong password. This security measure, however, isn’t enough to protect you from Bad Rabbit.

2. Keep Your Operating System and Software Up-to-date

Bad Rabbit self-propagates by using the hacking tool EternalRomance. A security update or patch that stops EternalRomance has already been made available by Microsoft since March 17, 2017.

"Using unpatched and unsupported software may increase the risk of proliferation of cybersecurity threats, such as ransomware,"

US Computer Emergency Readiness Team (US-CERT) said.

3. Don’t Be Fooled by Fake Software Updates

In an effort to keep your all software up-to-date, be careful though of falling into traps of fake updates.

Fake Adobe Flash Player update has long been the favorite of many cyber criminals as they always find security vulnerabilities of this software. If an update pops up in your monitor, don’t click the button, and visit the official Adobe website for updates.

Massive Locky Ransomware Campaign Attempts to Infect Millions of Computers in 24 Hours

4 Lessons Small Businesses Can Learn from WannaCry and NotPetya Cyber Attacks

Ransomware Victims Have Paid $25 Million in the Span of 2 Years, Google-Led Study Shows

Effects of Petya Cyber Attack Still Linger