The ransomware virus, known as Bad Rabbit, attacked tens of thousands of computers in Ukraine, Turkey and Germany. But most of the attacks occurred in Russia. What kind of virus is this and how to protect your computer, we tell you in our Questions and Answers section.

Who suffered from Bad Rabbit in Russia?

The Bad Rabbit ransomware virus began spreading on October 24. Among the victims of his actions are the Interfax news agency and the Fontanka.ru publication.

The Kyiv metro and Odessa airport also suffered from the actions of hackers. Then it became known about an attempt to hack the systems of several Russian banks from the top 20.

By all indications, this is a targeted attack on corporate networks, since methods similar to those observed in the ExPetr virus attack are used.

The new virus makes one demand to everyone: a ransom of 0.05 Bitcoin. In terms of rubles, this is about 16 thousand rubles. However, he reports that the time to fulfill this requirement is limited. A little more than 40 hours are given for everything. Further, the redemption fee will increase.

What is this virus and how does it work?

Have you already found out who is behind its spread?

It has not yet been possible to find out who is behind this attack. The investigation only led the programmers to the domain name.

Experts from antivirus companies note the similarity of the new virus to the Petya virus.

But, unlike previous viruses this year, this time the hackers decided to take the simple route, reports 1tv.ru.

“Apparently, the criminals expected that in most companies users would update their computers after these two attacks, and decided to try a fairly cheap remedy - social engineering, in order to infect users relatively unnoticed at first,” said Vyacheslav Zakorzhevsky, head of the anti-virus research department at Kaspersky Lab.

How to protect your computer from a virus?

Be sure to do backup copy your system. If you use Kaspersky, ESET, Dr.Web or other popular analogues for protection, you should promptly update the databases. Also, for Kaspersky you need to enable “Activity Monitoring” (System Watcher), and in ESET you need to apply signatures with update 16295, informs talkdevice.

If you do not have antivirus programs, block execution of the files C:\Windows\infpub.dat and C:\Windows\cscc.dat. This is done through the editor group policies or AppLocker for Windows.

Stop the service from running - Windows Management Instrumentation (WMI). Using the right button, enter the service properties and select the “Disabled” mode in “Startup type”.

Ransomware virus Bad Rabbit or Diskcoder.D. attacks corporate networks of large and medium-sized organizations, blocking all networks.

Bad Rabbit or “bad rabbit” can hardly be called a pioneer - it was preceded by the Petya and WannaCry encryption viruses.

Bad Rabbit - what kind of virus

Experts from the antivirus company ESET investigated the spread of the new virus and found that Bad Rabbit penetrated the victims’ computers under the guise of an update. Adobe Flash for the browser.

The antivirus company believes that the Win32/Diskcoder.D encryptor, called Bad Rabbit, is modified version Win32/Diskcoder.C, better known as Petya/NotPetya, which hit the IT systems of organizations in several countries in June. The connection between Bad Rabbit and NotPetya is indicated by matches in the code.

The attack uses the Mimikatz program, which intercepts logins and passwords on the infected machine. Also in the code there are already registered logins and passwords for attempts to gain administrative access.

The new malware fixes errors in file encryption - the code used in the virus is intended for encryption logical drives, external USB drives and CD/DVD images, as well as bootable system disk partitions. So, decryption experts will have to spend a lot of time to uncover the secret of the Bad Rabbit virus, experts say.

The new virus, according to experts, operates according to a standard scheme for encryptors - entering the system from nowhere, it encodes files, for the encryption of which hackers demand a ransom in bitcoins.

Unlocking one computer will cost 0.05 bitcoin, which is about $283 at the current exchange rate. If the ransom is paid, the scammers will send a special key code that will allow you to restore normal operation of the system and not lose everything.

If the user does not transfer funds within 48 hours, the ransom amount will increase.

But it is worth remembering that paying a ransom may be a trap that does not guarantee the computer will be unlocked.

ESET notes that there is currently no connection between the malware and the remote server.

The virus most affected Russian users, and to a lesser extent, companies in Germany, Turkey and Ukraine. The spread occurred through infected media. Known infected sites have already been blocked.

ESET believes that attack statistics are largely consistent with the geographic distribution of sites containing malicious JavaScript.

How to protect yourself

Specialists from Group-IB, which is involved in the prevention and investigation of cybercrime, gave recommendations on how to protect yourself from the Bad Rabbit virus.

In particular, to protect against an online pest, you need to create the file C:\windows\infpub.dat on your computer, and set read-only rights for it in the administration section.

This action will block file execution, and all documents arriving from outside will not be encrypted even if they are infected. It is necessary to create a backup copy of all valuable data so that in case of infection you do not lose it.

Group-IB specialists also advise blocking IP addresses and domain names, from which the spread took place malicious files, set a pop-up blocker for users.

It is also recommended to quickly isolate computers in an intrusion detection system. PC users should also ensure that backup copies of key network nodes are current and intact and that operating systems and security systems are updated.

“In terms of password policy: use group policy settings to prohibit storing passwords in LSA Dump in clear text. Change all passwords to complex ones,” the company added.

Predecessors

The WannaCry virus spread in at least 150 countries in May 2017. He encrypted the information and demanded to pay a ransom, according to various sources, from 300 to 600 dollars.

Over 200 thousand users were affected by it. According to one version, its creators took as a basis malware US NSA Eternal Blue.

The global attack of the Petya ransomware virus on June 27 hit the IT systems of companies in several countries around the world, mostly affecting Ukraine.

Computers of oil, energy, telecommunications, pharmaceutical companies, as well as government agencies were attacked. The Ukrainian cyber police stated that the ransomware attack occurred through the M.E.doc program.

The material was prepared based on open sources

Hi all! Just the other day, a large-scale hacker attack began in Russia and Ukraine, Turkey, Germany and Bulgaria using the new ransomware virus Bad Rabbit, also known as Diskcoder.D. Encryptor on this moment attacks corporate networks of large and medium-sized organizations, blocking all networks. Today we will tell you what this Trojan is and how you can protect yourself from it.

What kind of virus?

Bad Rabbit operates according to a standard scheme for ransomware: once it enters the system, it encodes files, for decryption of which hackers demand 0.05 bitcoin, which at the exchange rate is $283 (or 15,700 rubles). This is reported separate window, where you actually need to enter the purchased key. The threat is a type of Trojan Trojan.Win32.Generic, however it also contains other components, such as DangerousObject.Multi.Generic And Ransom.Win 32.Gen.ftl.

Bad Rabbit – a new ransomware virus

It is still difficult to completely trace all sources of infection, but experts are now working on this. Presumably, the threat reaches the PC through infected sites on which redirection is configured, or under the guise of fake updates for popular plugins such as Adobe Flash. The list of such sites is only expanding.

Is it possible to remove a virus and how to protect yourself?

It’s worth mentioning right away that at the moment all anti-virus laboratories have begun analyzing this Trojan. If you specifically look for information on virus removal, then there is none as such. Let’s immediately discard the standard advice - make a backup of the system, a return point, delete such and such files. If you don’t have saves, then everything else doesn’t work; hackers, due to the specifications of the virus, have thought through such moments.

I think that decryptors for Bad Rabbit made by amateurs will soon be distributed - whether you use these programs or not is your own choice. As the previous Petya ransomware showed, this helps little.

But you can prevent the threat and remove it when you try to get into your PC. Kaspersky and ESET laboratories were the first to respond to reports of a viral epidemic and are already blocking penetration attempts. Google Browser Chrome has also begun to detect infected resources and warn about their danger. Here's what you need to do to protect yourself from BadRabbit first:

1. If you use Kaspersky, ESET, Dr.Web, or other popular analogs for protection, then you must update the databases. Also, for Kaspersky you need to enable “Activity Monitor” (System Watcher), and in ESET apply signatures with update 16295.

   

2. If you do not use antiviruses, then you need to block file execution C:\Windows\infpub.dat And C:\Windows\cscc.dat. This is done through the Group Policy Editor or the AppLocker program for Windows.

It is advisable to disable the execution of the service - Windows Management Instrumentation (WMI). In the top ten the service is called "Tools Windows management” . Using the right button, enter the service properties and select “Startup type” mode “Disabled”.



3. Be sure to back up your system. In theory, a copy should always be stored on the connected media. Here is a short video instruction on how to create it.

Conclusion

In conclusion, it is worth saying the most important thing - you should not pay the ransom, no matter what you have encrypted. Such actions only encourage scammers to create new virus attacks. Monitor the forums of antivirus companies, who, I hope, will soon study the Bad Rabbit virus and find an effective pill. Be sure to follow the above steps to protect your OS. If you have any difficulties in completing them, please write in the comments.

Bad Rabbit is a virus that belongs to the encrypting ransomware viruses. It appeared quite recently and is aimed mainly at computers of users in Russia and Ukraine, as well as partially in Germany and Turkey.

The operating principle of ransomware viruses is always the same: once on a computer, the malicious program encrypts system files and user data, blocking access to the computer using a password. All that is displayed on the screen is the virus window, the attacker’s demands and the account number to which he demands to transfer money to unlock it. After the massive spread of cryptocurrencies, it became popular to demand ransom in bitcoins, since transactions with them are extremely difficult to track from the outside. Bad Rabbit does the same. It exploits operating system vulnerabilities, particularly in Adobe Flash Player, and penetrates under the guise of an update for it.

After infection, BadRabbit creates in the folder Windows file infpub.dat, which creates the remaining program files: cscc.dat and dispci.exe, which make their changes to the settings Disk MBR user and create their tasks similar to the Task Scheduler. This malicious program has its own personal website for paying the ransom, uses the DiskCryptor encryption service, encrypts using RSA-2048 and AE methods, and also monitors all devices connected to this computer, trying to infect them too.

According to Symantec's assessment, the virus received the status of a low threat, and according to experts, it was created by the same developers as the viruses discovered a couple of months before Bad Rabbit, NotPetya and Petya, since it has similar operating algorithms. The Bad Rabbit ransomware first appeared in October 2017 and its first victims were the online newspaper Fontanka, a number of media outlets, and the website of the Interfax news agency. The Beeline company was also subject to an attack, but the threat was averted in time.

Note: Fortunately, detection programs for these types of threats are now more effective than before, and the risk of contracting this virus has decreased.

Removing Bad Rabbit Virus

Bootloader recovery

As in most cases of this type, to eliminate the threat you can try to restore Windows boot loader. In the case of Windows 10 and Windows 8, to do this, you need to connect the system installation distribution to USB or DVD, and after booting from it, go to the “Fix your computer” option. After that, you need to go to “Troubleshooting” and select “ Command line».

Now all that remains is to enter the commands one by one, pressing Enter each time after entering the next command:

1. bootrec /FixMbr
2. bootrec /FixBoot
3. bootrec /ScanOs
4. bootrec /RebuildBcd

After the operations have been completed, exit and reboot. Most often this is enough to solve the problem.
For Windows 7, the steps are the same, only there “Command Prompt” is located in “Options” system recovery"on the installation distribution.

Removing a virus using Safe Mode

To use this method you must be logged in. safe mode with network support. It is with network support, and not simple Safe Mode. In Windows 10, this can be done again through the installation distribution. After booting from it, in the window with the “Install” button, you need to press the key combination Shift+F10 and enter in the field:

bcdedit /set (default) safeboot network

In Windows 7, you can simply press F8 several times while turning on the computer and select this boot mode from the list in the menu that appears.
After entering Safe Mode, the main goal is to scan the operating system for threats. It is better to do this through time-tested utilities such as Reimage or Malwarebytes Anti-Malware.

Eliminate the threat using the Recovery Center

For use this method you need to use the “Command Line” again, as in the instructions above, and after launching it, enter cd restore and confirm by pressing Enter. After this you need to enter rstrui.exe. A program window will open in which you can return to the previous restore point that preceded the infection.

It may be a harbinger of the third wave of encryption viruses, Kaspersky Lab believes. The first two were the sensational WannaCry and Petya (aka NotPetya). Cybersecurity experts told MIR 24 about the emergence of a new network malware and how to protect against its powerful attack.

Most of the victims of the Bad Rabbit attack are in Russia. There are significantly fewer of them in Ukraine, Turkey and Germany, noted the head of the anti-virus research department at Kaspersky Lab. Vyacheslav Zakorzhevsky. Probably, the second most active countries were those countries where users actively monitor Russian Internet resources.

When malware infects a computer, it encrypts files on it. It is distributed using web traffic from hacked Internet resources, among which were mainly the sites of federal Russian media, as well as computers and servers of the Kyiv metro, the Ukrainian Ministry of Infrastructure, and Odessa International Airport. An unsuccessful attempt to attack Russian banks from the top 20 was also recorded.

The fact that Fontanka, Interfax and a number of other publications were attacked by Bad Rabbit was reported yesterday by Group-IB, a company that specializes in information security. Analysis of the virus code showed that Bad Rabbit is associated with the Not Petya ransomware, which in June this year attacked energy, telecommunications and financial companies in Ukraine.

The attack was prepared for several days and, despite the scale of the infection, the ransomware demanded relatively small amounts from the victims of the attack - 0.05 bitcoin (that's about $283 or 15,700 rubles). 48 hours are allotted for redemption. After this period expires, the amount increases.

Group-IB specialists believe that, most likely, the hackers have no intention of making money. Their likely goal is to check the level of protection of critical infrastructure networks of enterprises, government departments and private companies.

It's easy to become a victim of an attack

When a user visits an infected site, the malicious code transmits information about it to a remote server. Next, a pop-up window appears asking you to download an update for Flash Player, which is fake. If the user approves the “Install” operation, a file will be downloaded to the computer, which in turn will launch the Win32/Filecoder.D encryptor on the system. Next, access to the documents will be blocked, and a ransom message will appear on the screen.

The Bad Rabbit virus scans the network for open network resources, after which it launches a tool on the infected machine to collect credentials and this “behavior” differs from its predecessors.

Specialists from the international developer of antivirus software Eset NOD 32 confirmed that Bad Rabbit is a new modification Petya virus, the operating principle of which was the same - the virus encrypted information and demanded a ransom in bitcoins (the amount was comparable to Bad Rabbit - $300). The new malware fixes errors in file encryption. The code used in the virus is designed to encrypt logical drives, external USB drives and CD/DVD images, as well as bootable system disk partitions.

Speaking about the audience that was attacked by Bad Rabbit, Head of Sales Support at ESET Russia Vitaly Zemskikh stated that 65% of attacks stopped by the company's antivirus products occurred in Russia. The rest of the geography of the new virus looks like this:

Ukraine – 12.2%

Bulgaria – 10.2%

Türkiye – 6.4%

Japan – 3.8%

others – 2.4%

"The ransomware exploits known software open source called DiskCryptor to encrypt the victim's disks. The lock message screen that the user sees is almost identical to the Petya and NotPetya lock screens. However, this is the only similarity we have seen so far between the two malware. In all other aspects, BadRabbit is a completely new and unique type of ransomware,” says the technical director of Check Point Software Technologies. Nikita Durov.

How to protect yourself from Bad Rabbit?

Holders operating systems non-Windows users can breathe a sigh of relief, since the new ransomware virus makes only computers with this “axis” vulnerable.

To protect against network malware, experts recommend creating the file C:\windows\infpub.dat on your computer, and setting read-only rights for it - this is easy to do in the administration section. This way you will block file execution, and all documents arriving from outside will not be encrypted even if they are infected. To avoid losing valuable data in the event of a virus infection, make a backup copy now. And, of course, it is worth remembering that paying a ransom is a trap that does not guarantee that your computer will be unlocked.

Let us remind you that the virus spread in at least 150 countries around the world in May of this year. He encrypted the information and demanded to pay a ransom, according to various sources, from 300 to 600 dollars. Over 200 thousand users were affected by it. According to one version, its creators took the US NSA Eternal Blue malware as a basis.

Alla Smirnova spoke with experts