Update 10/27/2017. Assessing the decryption capability. Possibility of file recovery. Verdicts.
What happened?
On Tuesday, October 24, we received notifications of massive ransomware attacks Bad Rabbit("Bad Bunny") Organizations and individual users were affected - mainly in Russia, but there were also reports of victims from Ukraine. This is the message victims see:
What is Bad Rabbit?
Bad Rabbit belongs to a previously unknown family of ransomware.
How is it distributed?
The malware is spread using a drive-by attack: the victim visits a legitimate website, and . The criminals did not use , so to get infected the user had to manually run a file disguised as an installer Adobe Flash. However, our analysis confirms that Bad Rabbit used the EternalRomance exploit to spread within corporate networks. The same exploit was used by the ExPetr ransomware.
We have discovered a number of hacked resources - they all represent news portals and media sites.
Who is the attack aimed at?
Most of the victims are in Russia. Similar, but less massive attacks affected other countries - Ukraine, Turkey and Germany. The total number of targets, according to KSN statistics, reaches 200.
When did Kaspersky Lab discover the threat?
We were able to trace the original vector of the attack at its very beginning, on the morning of October 24th. Active phase lasted until noon, although individual attacks were recorded until 19.55 Moscow time. The server from which the Bad rabbit dropper was distributed was shut down that evening.
How is Bad Rabbit different from the ExPetr ransomware? Or is it the same malware?
According to our observations, now we're talking about about a targeted attack on corporate networks, its methods are similar to those used during. Moreover, analysis of the Bad Rabbit code demonstrated its marked similarity to the ExPetr code.
Technical details
According to our data, the ransomware will spread through a drive-by attack. The ransomware dropper is downloaded from hxxp://1dnscontrol[.]com/flash_install.php.
Victims are redirected to this malicious resource from legitimate news sites.
The victim must run the downloaded install_flash_player.exe file manually. For proper operation the file requires administrator rights, which it requests through a standard UAC notification. When launched, the malware saves the malicious DLL as C:Windowsinfpub.dat and runs it via rundll32.
Pseudocode of the malicious DLL installation procedure
Apparently, the infpub.dat library brute-forces NTLM credentials to Windows machines with pseudo-random IP addresses.
Hardcoded list of credentials
The infpub.dat library also installs a malicious executable file dispci.exe V C:Windows and creates a task to run it.
Pseudocode of the procedure that creates the task of launching a malicious executable file
Moreover, infpub.dat acts like a typical ransomware: it finds the victim’s data using a built-in list of extensions and encrypts the files with a public 2048-bit RSA key owned by the attackers.
Attackers' public key and list of extensions
Public key parameters:
Public-Key: (2048 bit)
Modulus:
00:e5:c9:43:b9:51:6b:e6:c4:31:67:e7:de:42:55:
6f:65:c1:0a:d2:4e:2e:09:21:79:4a:43:a4:17:d0:
37:b5:1e:8e:ff:10:2d:f3:df:cf:56:1a:30:be:ed:
93:7c:14:d1:b2:70:6c:f3:78:5c:14:7f:21:8c:6d:
95:e4:5e:43:c5:71:68:4b:1a:53:a9:5b:11:e2:53:
a6:e4:a0:76:4b:c6:a9:e1:38:a7:1b:f1:8d:fd:25:
4d:04:5c:25:96:94:61:57:fb:d1:58:d9:8a:80:a2:
1d:44:eb:e4:1f:1c:80:2e:e2:72:52:e0:99:94:8a:
1a:27:9b:41:d1:89:00:4c:41:c4:c9:1b:0b:72:7b:
59:62:c7:70:1f:53:fe:36:65:e2:36:0d:8c:1f:99:
59:f5:b1:0e:93:b6:13:31:fc:15:28:da:ad:1d:a5:
f4:2c:93:b2:02:4c:78:35:1d:03:3c:e1:4b:0d:03:
8d:5b:d3:8e:85:94:a4:47:1d:d5:ec:f0:b7:43:6f:
47:1e:1c:a2:29:50:8f:26:c3:96:d6:5d:66:36:dc:
0b:ec:a5:fe:ee:47:cd:7b:40:9e:7c:1c:84:59:f4:
81:b7:5b:5b:92:f8:dd:78:fd:b1:06:73:e3:6f:71:
84:d4:60:3f:a0:67:06:8e:b5:dc:eb:05:7c:58:ab:
1f:61
Exponent: 65537 (0x10001)
style="font-family: Consolas,Monaco,monospace;">
The executable file dispci.exe appears to be based on code from the legitimate DiskCryptor utility. It acts as a disk encryption module and installs a modified bootloader in parallel, blocking the normal boot process of the infected system.
While analyzing samples of this threat, we noticed an interesting detail: apparently, the authors of the malware are fans of “Game of Thrones.” Some lines in the code represent the names of characters from this universe.
Names of dragons from Game of Thrones
Names of characters from Game of Thrones
Encryption scheme
As we already mentioned, Bad Rabbit ransomware encrypts files and HDD victims. The following algorithms are used for files:
- AES-128-CBC
- RSA-2048
This is a typical scheme used by ransomware.
Interestingly, the ransomware lists everything running processes and compares the hash on behalf of each process with the list of hashes it has. The hashing algorithm used is similar to the one used by the exPetr malware.
Comparison of Bad Rabbit and ExPetr hashing procedures
Special branch of program execution
Runtime Flag Initialization Procedure
Full list of hashes from process names:
| Hash | Process name |
| 0x4A241C3E | dwwatcher.exe |
| 0x923CA517 | McTray.exe |
| 0x966D0415 | dwarkdaemon.exe |
| 0xAA331620 | dwservice.exe |
| 0xC8F10976 | mfevtps.exe |
| 0xE2517A14 | dwengine.exe |
| 0xE5A05A00 | mcshield.exe |
Partitions on the victim's hard drive are encrypted using the dcrypt.sys driver of DiskCryptor (it is loaded into C:Windowscscc.dat). The encryptor sends the necessary IOCTL codes to this driver. Some functions are taken “as is” from the DiskCryptor source code (drv_ioctl.c), while others appear to have been added by the malware’s developers.
Disk partitions are encrypted by the DiskCryptor driver using AES in XTS mode. The password is generated by dispci.exe using the WinAPI CryptGenRandom function and is 32 characters long.
Assessing decryption capability
Our data suggests that Bad rabbit, unlike ExPetr, was not created as a viper (we wrote earlier that the creators of ExPetr are technically unable to decrypt MFT encrypted using GoldenEye). The malware's algorithm assumes that the attackers behind Bad rabbit have the necessary decryption tools.
The data that appears on the infected machine's screen as "personal installation key#1" is an RSA-2048 encrypted and base64 encoded binary structure that contains the following information from the infected system:
Attackers can use their RSA private key to decrypt this structure and send the disk decryption password to the victim.
Please note that the value of the id field that is passed to dispci.exe is simply a 32-bit number used to distinguish between infected computers, and not the AES key for disk encryption, as some reports published on the Internet have said.
During the analysis process, we extracted the password created by the malware under debugging and tried to use it on a locked system after rebooting - the password matched and the download continued.
Unfortunately, it is impossible to decrypt data on disks without an attacker’s RSA-2048 key: symmetric keys are securely generated on the malicious side, which in practice eliminates the possibility of their selection.
However, we discovered a bug in the dispci.exe code: the generated password is not removed from memory, which gives little chance of retrieving it before the dispci.exe process terminates. In the screenshot below, you will notice that while the dc_pass variable (which will be passed to the driver) will be securely erased after use, this is not the case for the rand_str variable, which contains a copy of the password.
Pseudo code for a procedure that generates a password and encrypts disk partitions
File encryption
As we have already written, the Trojan uses a typical file encryption scheme. It generates a random string of 32 bytes in length and uses it in the key derivation algorithm. Unfortunately, the CryptGenRandom function is used to create this string.
Key derivation algorithm
The encrypted password, along with information about the infected system, is written to the Readme file as “personal installation key#2”.
Interesting fact: the malware does not encrypt files with the Read-Only attribute.
Ability to recover files
We found that Bad Rabbit does not delete shadow copies of files after they are encrypted. This means that if the shadow copy service was enabled before the infection and full disk encryption did not occur for some reason, the victim can recover the encrypted files using standard means Windows or third party utilities.
Shadow copies unaffected by Bad Rabbit
Kaspersky Lab experts analyze the ransomware in detail to find possible flaws in its cryptographic algorithms.
Kaspersky Lab corporate clients are recommended to:
- check that all mechanisms are turned on according to the recommendations; Separately, make sure that the KSN and “System Monitoring” components are not disabled (they are active by default);
- promptly update anti-virus databases.
This should be enough. But as additional measures precautions we recommend:
- prohibit execution of the files C:Windowsinfpub.dat and C:Windowscscc.dat in Kaspersky Endpoint Security.
- configure and enable the "Default Deny" mode in the "Application Launch Control" component in Kaspersky Endpoint Security.
Kaspersky Lab products define this threat as:
- Trojan-Ransom.Win32.Gen.ftl
- Trojan-Ransom.Win32.BadRabbit
- DangerousObject.Multi.Generic
- PDM:Trojan.Win32.Generic
- Intrusion.Win.CVE-2017-0147.sa.leak
http://1dnscontrol[.]com/
- install_flash_player.exe
- C:Windowsinfpub.dat
- C:Windowsdispci.exe
style="font-family: Consolas,Monaco,monospace;">
Back in the late 1980s, the AIDS virus (“PC Cyborg”), written by Joseph Popp, hid directories and encrypted files, requiring payment of about $200 for a “license renewal.” At first, ransomware targeted only ordinary people using computers under Windows control, but now the threat itself has become a serious problem for business: more and more programs are appearing, they are becoming cheaper and more accessible. Extortion using malware- the main cyber threat in 2/3 EU countries. One of the most common ransomware viruses, CryptoLocker, has infected more than a quarter of a million computers in EU countries since September 2013.
In 2016, the number of ransomware attacks increased sharply—according to analysts, by more than a hundred times compared to the previous year. This is a growing trend, and, as we have seen, completely different companies and organizations are under attack. The threat is also relevant for non-profit organizations. Since for each major attack, malware is upgraded and tested by attackers to “pass” through antivirus protection, antiviruses, as a rule, are powerless against them.
On October 12, the Security Service of Ukraine warned about the likelihood of new large-scale cyber attacks on government agencies and private companies like the June ransomware epidemic NotPetya. According to the Ukrainian intelligence service, “the attack could be carried out using updates, including publicly available application software.” Let us remember that in the case of an attack NotPetya, which researchers linked to the BlackEnergy group, the first victims were companies using software from the Ukrainian document management system developer M.E.Doc.
Then, in the first 2 hours, energy, telecommunications and financial companies: Zaporozhyeoblenergo, Dneproenergo, Dnieper Electric Power System, Mondelez International, Oschadbank, Mars, "Novaya Poshta", Nivea, TESA, Kiev Metro, computers of the Cabinet of Ministers and the Government of Ukraine, Auchan stores, Ukrainian operators ("Kyivstar", LifeCell, " UkrTeleCom"), Privatbank, Boryspil airport.
A little earlier, in May 2017, the WannaCry ransomware virus attacked 200,000 computers in 150 countries. The virus spread through the networks of universities in China, factories of Renault in France and Nissan in Japan, telecommunications company Telefonica in Spain and railway operator Deutsche Bahn in Germany. Due to blocked computers in UK clinics, operations had to be postponed, and regional units of the Russian Ministry of Internal Affairs were unable to issue driver's licenses. Researchers said North Korean hackers from Lazarus were behind the attack.
In 2017, ransomware viruses reached new level: the use by cybercriminals of tools from the arsenals of American intelligence services and new distribution mechanisms led to international epidemics, the largest of which were WannaCry and NotPetya. Despite the scale of the infection, the ransomware itself collected relatively insignificant amounts - most likely these were not attempts to make money, but to test the level of protection of the critical infrastructure networks of enterprises, government agencies and private companies.
Are you facing Feature Update to Windows 10 Version 1909 Error 0x80070005, 0x80d02002? Main Possible reasons This problem includes corruption of the update cache, driver software, and incompatibility of the application installed on your computer. Some users have started complaining about error 0x80070005 during a feature update when they get it through the update and security area. Unfortunately, the installation ends with this stop code and does not install after a restart or the usual workarounds. In this guide, you will identify the reasons for the error and fix it.
How to fix feature update error to Windows 10 Version 1903-1909
A common cause of Windows update error is cache corruption. So, first of all, you should try to reset it using a simple simple process.
1. Reset update cache
- Enter cmd In Windows "Search", right-click in the matches and select " Run as administrator".
Copy the commands below, paste them all at once into " command line" and press Enter.
- net stop wuauserv
- net stop cryptSvc
- net stop bits
- net stop msiserver
- ren C:\Windows\SoftwareDistribution SoftwareDistribution.old
- ren C:\Windows\System32\catroot2 catroot2.old
- net start wuauserv
- net start cryptSvc
- net start bits
- net start msserver pause
If your process stops on the line net start msserver pause, press Enter. Next, simply exit the command line by typing the command exit.
Go to Settings > Update & Security and tap " Checking for updates". See if the feature update to Windows 10 Version 1909 problem is gone with error 0x80d02002.
2. Launch SFC and DISM tools
If error 0x80d02002 has not been corrected, then you need to run a system scan and restore Windows files, tools. SFC will modulate damaged files, and also restore. DISM then checks the health of the system image. Hence, follow the instructions to launch both the tools one by one, point by point.
Let's launch " command line as administrator" and enter:
- SFC /SCANNOW
After the process is completed, restart your computer and make sure that the error updating features to Windows 10 version 1909 is fixed. If it does not help, then move on below.
Now enter:
- DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH
Restart the system after the process is completed and check for the feature update.
3. Checking language settings
Error 0x80d02002 often occurs due to incorrect settings language. Select the language of the country you are currently in, which means you are in Russia, then select the Russian language (rus).
- Open Settings, select Time & Language.
- On the left, select "Region and language" and on the right, configure according to your place of stay.
You can now get the feature update to Windows 10 Version 1909 after fixing error 0x80d02002.
We never tire of repeating that updating the OS is extremely important. And we often get the question of how to download update 1709 Fall Creators Update and how to update to this version on your Windows 10 build.
In the fall of 2017, Microsoft announced a new update to its Windows 10 operating system to version 1709 called the Fall Creators Update. It managed to implement many innovations and innovations, thanks to which it is expected to make the system even a little better in all respects. Therefore, it’s worth talking a little about some of the new products that the developers were able to offer their users. And you can download this version both on our portal and on the company’s official resources.
New features in Windows 10 1709 Fall Creators Update
Judging by the name, then in to a greater extent This update was designed for IT professionals. Let's see what the developers were able to prepare for them:- Has been improved file system, which will make it more convenient to work in the Linux subsystem;
- Enabling developer mode in WSL is no longer required;
- Lots of changes. Regarding working with Hyper-V;
- Users of the server version have been added the opportunity to participate in the preliminary assessment program;
- Came out a new version Workstation, which can be downloaded along with the current update.
The developers were asked to remove the favorite by many due to the fact that this application is considered outdated. They strive to work more in the direction of three-dimensional technologies and develop Paint 3D. Now many will be interested in the question of how to download remote application. Most likely it will be available in the Store. So if you decide to download Windows 10 1709 Fall Creators Update, then be prepared for the absence of standard Paint.
In updating the system to version 1709, most of the attention was paid to security issues. That is why for some editions of the system it is suggested that the users themselves limit the collection of user data.
Work continued on integrating devices with the system. For example, it has become possible to link a phone to a PC so that the user can view on the smartphone the links that he will send to himself from a personal computer.
Among interesting features, which became available to users who were able to download the Windows 10 update to version 1709 Fall Creators Update, is a function through which memory is monitored. It allows users to avoid having to manually delete unused files in situations where the disk has too little free space. Such files will be recognized as those that have been in the trash for more than a month. As well as temporary system files, data from the “Downloads” folder. As an addition, this function offers the ability to remove previous versions of the system.
How to update
If you have already realized that it is impossible for you to do without installing this package, then you have two options. First, go to Settings and in the “Update and Security” section use the built-in features. To do this, first activate the search for available updates and then install everything that the system offers.
The second option is to use the official Microsoft website and install the necessary add-ons manually. The second option should be used only if the first did not help you. But in this case, you will have to download the 1709 Fall Creators Update, then install it - all manually, and this, in our opinion, is not suitable for the 21st century.
Which option to choose is up to you. Here you can download the latest Windows version 10, which initially includes all the latest patches and updates. Also don't forget that Microsoft company releases only cumulative products, which means that you can download a more recent generation, for example, 2018, which will initially include this build for 2017. You don't need to manually download and install one by one.
Since official release It's been quite some time since Microsoft's "latest OS" arrived. And the company tirelessly churns out updates for the “ten”. Among the most noticeable changes is support for Linux systems. It is not clear why this was done, but now you can run and successfully use Ubuntu on Windows. What else can a Fall Creators Update user enjoy? We need to figure it out, because there are a lot of changes. However, there are serious doubts about the practical value of many of them. It is not clear why this was necessary. However, first things first. Let's start with the interface.
Fluent Design. A new word in design
Microsoft finally realized that the standard design of the 10 is no good. But instead of returning the components of the beloved and proven Aero, the company came up with some kind of utter Fluent Design. This is a dynamic change in interface components depending on the action being performed. This design includes features such as blur background in the MacOS style, the use of “material design” components and other options that seem unique and innovative to Microsoft. At the same time, the Redmond Corporation completely forgets that all this has long been in “Linux-like” OSes and in the legendary Macs. However, Windows 10 Fall Creators Update, version 1709 looks quite interesting. However, Microsoft failed to bring this to fruition.
Firstly, the smoothness of the design change leaves much to be desired. Secondly, only applications from the Windows Store have full support for the new design. The rest of the programs look simply comical. Thirdly, the possibility of using such a design on computers with modest technical characteristics. In general, impressions of the new design are twofold. On the one hand, it's nice to see Microsoft's desire to make the system better. But on the other hand, all this was implemented very clumsily. Bye. The implementation of the new design still needs a lot of work. And the company released mass use a very crude product - Windows 10 version 1709. User reviews confirm this idea.
Working with the stylus
In the update great attention was devoted to touch devices and their interaction with styluses. However, this approach only helps tablet users and those who have touch monitors. The remaining users (and there are many more of them) remain “overboard”. Because it is completely unclear how this “feature” can be useful to users of classic PCs and laptops. Nevertheless, the stylus began to be recognized better. New options have appeared, handwriting recognition has improved, support for emoticons has appeared, and much more. The "ten" also made life easier for artists. Now you don’t have to buy anything to create masterpieces Graphics tablet. A touch monitor and a stylus are enough. Windows 10 Fall Creators Update (version 1709) is the most preferred OS for graphic artists.
Access Spotify and iTunes on Windows Store
Now iconic applications for managing Apple devices are available in Windows store. This is good news for those who use smartphones and tablets from the Cupertino manufacturer. However, ordinary users have absolutely no use for this innovation. Nevertheless current versions applications are already available. They will be updated regularly. Now, for normal interaction between a PC and an iPhone, it is not at all necessary to purchase a Mac. Using these programs, you can combine Apple devices and a Windows computer into one ecosystem, which will allow users to discover new capabilities of their devices.
Linking a smartphone to a PC
Microsoft decided to implement this option in order to combine a smartphone (no matter what) and a PC into one ecosystem. But even this was not brought to fruition. So far, such a system is only capable of sending links from the phone to the computer in order to continue working on a full-fledged machine. Windows Update 10 Fall Creators Update 1709 provides this opportunity. According to company representatives, the functionality of the option will be expanded in the future. There will also be an option to reject an incoming call on the PC screen. As in all other cases, Microsoft released an unfinished and crude option. Why implement such an opportunity if there is almost no sense in it? This is still unknown.
Power Throttling
Unlike previous useless innovations, this at least slightly affects the speed of the operating system and its energy consumption. The bottom line is this: the system searches for applications running in and automatically reduces to a minimum the resources allocated to the operation of these same programs. This “dosing” of power helps laptops work longer on a single charge. battery. This once again confirms the idea that Microsoft Windows 10 version 1709 is “tailored” for mobile devices. And the latter includes everyone’s favorite laptops. However, the implementation of this option can fully affect classic PCs. In theory, it should reduce CPU load and RAM, which will allow the above components to work longer. At least one useful feature in the update from Microsoft.
Smarter Cortana
There is no need to be particularly happy, because this assistant is not available for our region. And Windows 10 version 1709, reviews of which we will discuss a little later, could not change anything in this regard. Nevertheless, Microsoft developers have taught Cortana to recognize dates in images (say, posters) and plan events based on this. Of course, the “trick” is not so great. This creation is already far from full-fledged artificial intelligence. What can I say, “Cortana” in terms of intelligence does not even reach Apple’s “Siri”. This option in the update is completely useless for residents of Russia and the CIS countries. So there is no point in dwelling on it in detail.
"Linux" on Windows
Another not fully understood option is “tens”. The whim of the developers is incomprehensible, according to which in operating system It became possible to install and subsequently launch the Ubuntu OS from the Linux-like family. Windows 10 version 1709, which has received mixed reviews, now also includes the ability to install and run Fedora and OpenSUSE distributions. The implementation of such an option should theoretically help software developers. But in reality everything looks a little different. Let's start with the fact that only owners of the pro version and on modern hardware have the opportunity to take advantage of this beauty. Because the launch is carried out in emulation mode. And this requires a considerable amount of resources.
Security Improvements
Now let's look at the possibilities Windows protection 10 version 1709. Reviews from those who have already updated indicate that Microsoft has paid great attention to security. The vulnerabilities used by the famous WannaCry ransomware were closed. Windows Defender has also been redesigned. Now protection against viruses, exploits, ransomware and other malware has become even better. Now the “top ten” can definitely be used without a third-party antivirus. The built-in software will cope perfectly with all threats. You will only need to regularly update the signatures.
