New Ransomware Spreads across Europe

A new ransomware, dubbed “Bad Rabbit”,  has been spreading quickly throughout Europe in the past few months.  The Petya-like attack (27% of BadRabbit code has been seen in Petya samples) has struck corporate and personal networks alike utilizing “drive-by” download attacks.  An initial analysis by Kaspersky Labs states that the malware spreads by luring victims using fake Adobe Flash Player installers meaning that no exploits were used in the distribution of the malware, the victim must manually execute the malware dropper.

Once executed, BadRabbit scans the internal network for open SMB (Server Message Block) shares and tries a hardcoded list of commonly used credentials to spread the ransomware.  It also uses the post-exploitation tool “Mimikatz” to extract the credentials off of the infected systems. This is notable because it marks a new wave of ransom attack, one that doesn’t utilize the “EternalBlue” exploit, the exploit used by notable ransomware such as WannaCry and Petya to spread throughout networks.  The same report also stated that numerous compromised websites have been detected “all of which were news or media websites.”

After spreading through a network, BadRabbit utilizes an open-source full drive encryption service called DiskCryptor that encrypts files using RSA 2048 keys.  After this, a ransom note appears on the screen asking victims to log into an onion website to make an initial payment of .05 bitcoin (or ~$285) in order to get their encryption key.  A countdown timer, originally set for 40 hours, is also displayed with the threat of increasing the price of the key if no payment is sent within the time frame.


Image result for bad rabbit screenshots

Affected organizations include Russian news agencies Interfax and Fontanka as well as the payment systems used in the Kiev Metro, Odessa International Airport, and the Ukranian Ministry of Infrastructure. Interfax was hit particularly hard, 24 hours after the attack their website still displayed the message “our service is temporarily unavailable.”

The head of Russian cyber-security firm Group-IB, Illya Sachkov says, “In some of the companies, the work has been completely paralyzed – servers and workstations are encrypted.” U.S. officials have stated that they have “received numerous reports ofBadRabbit ransomware infections in many countries around the world.”  The Russian central bank released a statement that there were recorded BadRabbit attacks on several of the top 20 Russian financial institutions, but that none had been compromised.

So far, attacks have been heavily concentrated in Russia, however, attacks have also been recorded in Ukraine, Turkey, and Germany.  An analysis is still being done on BadRabbit to try and find a way to decrypt computers without having to pay, as well as how to stop it from spreading further.

The malware is still undetected by the majority of anti-virus programs according to Virus Total. For now, Kaspersky Labs suggests that you disable the WMI service on your computers to prevent the malware from spreading over your network, as well as changing default credentials within your network.




Reaper Botnet Dwarfs Mirai


By this point everyone and their mother has heard of the botnet dubbed ‘Mirai’, an infamous botnet infrastructure from last year that managed to take down a good chunk of the internet by attacking Dyn, a DNS provider. Well as of this September, weak passwords might have become the least of your worries if you’re like 60% of Check Point’s ThreatCloud covered corporations, and have un-patched vulnerabilities on your network.

Dubbed Reaper, or IOTroop by some, a new IoT botnet is propagating, and shows no sign of slowing down. Today, researchers have ruled out the possibility that Mirai and Reaper are connected, at least on a technical level, due to the superiority that Reaper has displayed in its intrusion and propagation techniques. Whereas Mirai was spread through the exploitation of default passwords across IoT devices, Reaper utilizes a specialized strand of malware that exploits well known vulnerabilities (such as those present in many printers and IoT toasters) to gain entry to a device, and further uses that device to spread itself to others connected.

With near exponential growth, Qihoo 360 Netlab witnessed approximately 2 million newly infected devices waiting to be processed by a C&C server, of which there are several that have thus been identified. The best thing that any concerned corporation or user can do at this point in time, would be to ensure that every machine on their network has updated firmware, and software in an attempt to limit the spread of this variable plague infecting IoT networks worldwide.

Currently, it appears as if we all might be witnessing a ‘calm before the storm’, situation, with this botnet ramping up massively in numbers and, according to Check Point, updating its capabilities on a daily basis. What else can I say but stay safe, and brace for impact, as when this thing hits, it’ll make the Dyn attack look like a birthday party.

– Kenneth Nero

Sources: Here, and Here, also Here

Encryption system used to exploit protected Wifi networks

Everyone knows that they could be a potential target for cyber-crime; as it often appears in the news almost every day. But just how vulnerable is an individual? CERT recently made a statement about how your Wifi network could be exploited if proper precautions are not taken.

On October 16th, 2017, the Computer Emergency Readiness Team made an announcement that addresses the protection of your sensitive information. In short, its advice is to update all your devices when security advancements are available. The reason for this is that a widely used encryption system used on wireless networks can lead to a breach of your credit card information, emails, passwords, etc.

Essentially, the system allows a hacker to gain access to the internet traffic that occurs between computers. Once in, the hacker can manipulate the data that is recovered. Depending on the target’s network configurations, it is even possible for the attacker to inject malware into the network. The unsettling part about this encryption system is that it has the capability of effecting a very wide range of devices including Android, Apple, Linux, and Windows.

Companies such as Intel, Microsoft, Google, and Apple have heeded this advice and have released updates that will help protect people with their devices from this issue.

– Jared Albert


New DoubleLocker Ransomware Attacks Android Devices

Security researchers have discovered a new kind of ransomware for android that both changes the affected device’s PIN code and encrypts the files. It goes by the name DoubleLocker and is reported to use code from an old banking trojan called Svpeng. This was formerly one one of the more interesting pieces of android malware. It would overlay fake banking logins, steal money from bank accounts using sms account management, change PIN codes, and encrypt user files. Fortunately the DoubleLocker ransomware doesn’t attempt to steal any banking information. At least not yet.

DoubleLocker takes a new approach to ransomware, being the first of its kind to misuse Android’s accessibility service to gain admin rights. Once it is installed, usually through a fake flash player update, the app gives requests device accessibility permissions. If the user enables these, the app is able to simulate touches on the screen so it can make itself a device administrator and set itself as the default home app. This means that whenever the user presses the home button, the malware is re-launched. The app uses its administrator rights to change the PIN code on the phone and encrypt all of the user files to .cryeye files with a random key stored at a remote location.


Once running, the app shows a ransom request for 0.013 BTC (about $70) like this one, which when paid will remotely decrypt the phone and remove the PIN lock.

There are a few ways to protect yourself from these kinds of attacks. For one, Flash Player for mobile is dead so don’t be trying to update it. More generally, however, you should

  • Only install apps from trusted sources
  • Keep the “Unknown Sources” checkbox off unless you have a very good reason to turn it on. Always turn it back off right afterwards.
  • Keep an antivirus app on your smartphone


Sources used:


~ Daniel Monteagudo

“Faceliker” Facebook Trojan Making Comeback

“Faceliker” is malware that has been around for a few years, but recently in 2017 McAfee is reporting surges in the use of Faceliker (9.8% of all new malware in Q1/Q2 are Faceliker strains). Faceliker uses JavaScript to basically hijack the users’ clicks and generates likes on Facebook. The malware is becoming increasingly common to be embedded within malicious Chrome extensions.

Why would someone want to hijack clicks from users? Well, it seems as though Faceliker is being used to promote “fake news” (*cough* propaganda), and is also used to promote advertisements and games that aren’t popular, but seem popular due to the likes accumulated by Faceliker. It also can promote fake pages of companies or users in order to make them seem real or reputable, and possibly result in possible catfishing.

McAfee is not certain, but it appears that Faceliker is only being used to promote content by spoofing likes. It is possible different Faceliker strains are being used to steal passwords or other sensitive data, but there isn’t a clear cut answer.

-Ryan Corrao