With the spreading of the new version of Petya/NotPetya Ransomware, called as BadRabbit, I thought it would be a nice idea to sum up it’s targets, potential damage & the found vaccination to prevent it from infecting others.
Propagation technique: fake Adobe Flash update.
Potential Damage:
-Encrypts files with selected extensions (using AES + RSA).
-Scans our Local Area Network (LAN), in order to spread to other machines.
-Master Boot Record is overwritten with the malicious bootloader and the kernel, that is meant to deploy the low level attack after the reboot.
If you’re going to link to another article here, you should sum up the main points here as well, and then prompt a discussion. Check out this post from @ricksanchez.
I think this is the correct place to post this. If not, please let me know where one should post articles related to topics such as this.
MalwareUnicorn recently released her analysis on BadRabbit. I found it very thorough and wanted to share it with you all.
Mitigating BadRabbit
“By placing any file at C:\windows\cscc.dat, the dropper will fail.”
Her Summary
“BadRabbit joins WannaCry and NotPetya among the list of global ransomware attacks in 2017. However, there are many differences between BadRabbit and the other attacks that are missed when simply lumping them all together. BadRabbit does not use the EternalBlue exploit, but demonstrates yet again how these attacks continue to evolve and innovate their evasive techniques. I’ll be keeping an eye on BadRabbit, and future variants, as these attacks evolve. The Appendix below provides additional information, including those GoT and Hackers references that are making headlines. And as always, be wary of pop-up updates, which are an incredibly popular mode of compromise.”
@REal0day you are right about malwareunicorn i think she is the first one who know about C:\windows\cscc.dat and this information give to me a great ready to open other thinks .