How To Stop Bad Rabbit (Ransom:Win32/Tibbar.A) – A Complete Guide

On Tuesday US government issued a warning about a new type of ransomware known as Bad Rabbit (Ransom: Win32/Tibbar.A). The Ransomware has mainly spread in Russia and Ukraine.

We are creating this guide to help you prevent/stop malicious Bad Rabbit ransomware from encrypting your computer.

What is Bad Rabbit (Ransom:Win32/Tibbar.A)?

Ransom: Win32/Tibbar.A dubbed Bad Rabbit is a ransomware like NotPetya and Wannacry. It doesn’t use exploits. It uses a drive-by attack: Victims download a false Adobe Flash installer from infected websites and physically launch the .exe file, hence infecting themselves.

In Some Cases, this ransomware attempts to reboot your PC so it can encrypt your files.

This ransomware stops victims from using their PC or accessing their data. It might ask infected computer owners to pay money to a malicious hacker.

The criminals behind the Bad Rabbit attack are demanding 0.05 bitcoin as ransom — that’s approx. Rs. 19000 at the current exchange rate.

List of known countries affected by Bad Rabbit

According to our data, most of the victims of these attacks are located in

Russia
Ukraine
Germany
Turkey
India

This ransomware has infected devices through a number of hacked Russian media websites.

How to know my computer is infected by Bad Rabbit?

According to Microsoft the indicators of compromise are:

Presence of the following files in %SystemRoot%:

A notification similar to the following screenshot is displayed:

You can’t access your files or your PC
Kaspersky Lab’s products detect the attack with the following verdicts:

UDS:DangerousObject.Multi.Generic (detected by Kaspersky Security Network),
PDM:Trojan.Win32.Generic (detected by System Watcher) and Trojan-Ransom.Win32.Gen.ftl.

How Bad Rabbit (Ransom:Win32/Tibbar.A) works?

The ransomware can be downloaded when visiting infected websites or if you click a fake Adobe Flash Update:

When clicked, this file the ransomware drops the fil0e infpub.dat into the %SystemRoot% folder and runs it as “rundll32.exe”.
It then deploys the file cscc.dat in %windows%. It is a driver for an open-source encryption solution, DiskCryptor.
It then writes “cscc” into the registry:
It also drops an infected version of the DiskCryptor program into %SystemRoot%.
The infpub.dat file starts the encryption with the following commands by using cmd.exe:
It creates various scheduled tasks to run the encryption program at every Windows start, reboots the computer, deletes or modify the history of file changes, and then delete the scheduled tasks.

Aftermath

Bad Rabbit overwrites starts encrypting user content and then overwrites the Master Boot Record (MBR).

Extensions which are prone to this malware are:

.3ds, .7z, .accdb, .ai, .asm, .asp, .aspx, .avhd, .back, .bak, .bmp, .brw, .c, .cab, .cc, .cer, .cfg, .conf, .cpp, .crt, .cs, .ctl, .cxx, .dbf, .der, .dib, .disk, .djvu, .doc, .docx, .dwg, .eml, .fdb, .gz, .h, .hdd, .hpp, .hxx, .iso, .java, .jfif, .jpe, .jpeg, .jpg, .js, .kdbx, .key, .mail, .mdb, .msg, .nrg, .odc, .odf, .odg, .odi, .odm, .odp, .ods, .odt, .ora, .ost, .ova, .ovf, .p12, .p7b, .p7c, .pdf, .pem, .pfx, .php, .pmf, .png, .ppt, .pptx, .ps1, .pst, .pvi, .py, .pyc, .pyw, .qcow, .qcow2, .rar, .rb, .rtf, .scm, .sln, .sql, .tar, .tib, .tif, .tiff, .vb, .vbox, .vbs, .vcb, .vdi, .vfd, .vhd, .vhdx, .vmc, .vmdk, .vmsd, .vmtm, .vmx, .vsdx, .vsv, .work, .xls, .xlsx, .xml, .xvd, .zip

Ransom Demand

After a forced reboot, Victims are locked out of their computer and forced into pay ransom for a key to regain access. This message appears on infected computer and Victim can’t log in to operating system:

The message says:

“ Oops ! Your files have been encrypted.

If you see this text, your files are no longer accessible.

You might have been looking for a way to recover your files.

Don’t waste your time. No one will be able to recover them without our

decryption service.

We guarantee that you can recover all your files safely. All you

need to do is submit the payment and get the decryption password.

Visit our web service at <TOR .onion address>

Your personal installation key#<number>:

<key>

If you have already got the password, please enter it below.

Password#<number”

Visiting the mentioned .onion address provides a screen like shown below:

Can Bad Rabbit Spread Through Network or LAN?

Maybe, the ransomware may try to connect to the network, so it can target and infect other computers.

It uses a hardcoded set of usernames and passwords to try to brute force into the network:

Usernames:

· Admin	· Guest	· rdpuser
· Administrator	· manager	· root
· alex	· nas	· superuser
· asus	· nasadmin	· support
· backup	· nasuser	· Test
· boss	· netguest	· User
· buh	· operator	· User1
· ftp	· other user	· user-1
· ftpadmin	· rdp	· work
· ftpuser	· rdpadmin

Passwords:

· 111111	· Administrator	· qwer
· 123	· administrator	· qwert
· 123321	· Administrator123	· qwerty
· 1234	· administrator123	· qwerty123
· 12345	· adminTest	· root
· 123456	· god	· secret
· 1234567	· Guest	· sex
· 12345678	· guest	· test
· 123456789	· Guest123	· test123
· 1234567890	· guest123	· uiop
· 321	· love	· User
· 55555	· password	· user
· 777	· qwe	· User123
· 77777	· qwe123	· user123
· Admin	· qwe321	· zxc
· Admin123		· zxc123
· admin123Test123		· zxc321
		· zxcv

How to stop/prevent Bad Rabbit (Ransom:Win32/Tibbar.A) from infecting the PC?

Make sure you have Anti-Virus installed on your PC.
Anti-Virus must be Updated to the latest version
Block the execution of files c:\windows\infpub.dat and c:\Windows\cscc.dat.
Disable WMI service (if it’s possible in your environment) to prevent the malware from spreading over your network.

Tips for everyone:

Back up your data at a different place (Cloud Backup Recommended)
Please do not pay the ransom.

Source

https://www.kaspersky.com/blog/bad-rabbit-ransomware/19887/

https://www.microsoft.com/en-us/wdsi/threats/ransomware

http://money.cnn.com/2017/10/24/technology/bad-rabbit-ransomware-attack/index.html