Bad Rabbit Ransomware Spreads via Network

An ongoing ransomware campaign is hitting Eastern European countries with what seems to be a variant of the Petya ransomware dubbed Bad Rabbit (which we detect as RANSOM_BADRABBIT.A). Digital Age Solution utilizes Trend Micro XGen™ security products with machine learning to proactively detect this ransomware as TROJ.Win32.TRX.XXPE002FF019 without the need for a pattern update. The attack comes a few months after the previous Petya outbreak, which struck European countries back in June.

Initial reports peg the main casualties as transport systems and media outlets in Ukraine and Russia. The Ukranian arm of CERT (CERT-UA) has also issued an advisory warning of further potential ransomware attacks.

Initial Analysis

Figure 1: Bad Rabbit Infection Chain

Figure 1: Bad Rabbit Infection Chain

Our initial analysis found that Bad Rabbit spreads via watering hole attacks that lead to a fake Flash installer “install_flash_player.exe”. Compromised sites are injected with a script that contains a URL that resolves to hxxp://1dnscontrol[.]com/flash_install, which is inaccessible as of the time of publication. We’ve observed some compromised sites from Denmark, Ireland, Turkey, and Russia where it delivered the fake Flash installer.

 Figure 2: Code showing the injected script

Figure 2: Code showing the injected script

Once the fake installer is clicked, it will drop the encryptor file infpub.dat using the rundll32.exe process, along with the decryptor file dispci.exe. As part of its routine, Bad Rabbit uses a trio of files referencing the show Game of Thrones, starting with rhaegal.job, which is responsible for executing the decryptor file, as well as a second job file, drogon.job, that is responsible for shutting down the victim’s machine. The ransomware will then proceed to encrypt files in the system and display the ransom note shown above.

 Figure 3: Bad Rabbit ransom note showing the installation key

Figure 3: Bad Rabbit ransom note showing the installation key

A third file, viserion_23.job, reboots the target system a second time. The screen is then locked, and the following note displayed:

 Figure 4: Bad Rabbit ransom note displayed after system reboot

Figure 4: Bad Rabbit ransom note displayed after system reboot

Based on our initial analysis, Bad Rabbit spreads to other computers in the network by dropping copies of itself in the network using its original name and executing the dropped copies using Windows Management Instrumentation (WMI) and Service Control Manager Remote Protocol. When the Service Control Manager Remote Protocol is used, it uses dictionary attacks for the credentials.

Bad Rabbit also spreads via the SMB file sharing protocol. It attempts to brute force any administrative shares it finds; if successful it drops a copy of itself into these shares. If these bruteforce attacks fails, it uses an exploit related to the Eternal Synergy SMB vulnerability to drop copies onto these shares. This is a divergence from the earlier Petya attacks, which used the EternalBlue vulnerability.

Among the tools Bad Rabbit reportedly incorporates is the open-source utility Mimikatz, which it uses for credential extraction. We also found evidence of it using DiskCryptor, a legitimate disk encryption tool, to encrypt the target systems.

Mitigation and Best Practices

Users can mitigate the impact of ransomware such as Bad Rabbit with the best practices utilized by Digital Age Solution’s Safe & Secure Managed Services.

Petya Ransomware

Not two months ago, the world fell victim to the largest malware attack in history. This week another attack threatens the data of the world. 

The Petya ransomware restarts computers and encrypts all data on computers. The malicious software the demands $300 in the digital currency Bitcoin. 

The Petya spreads rapidly across a network after a single computer becomes infected. It uses the EternalBlue vulnerability in Windows or through one of two Windows administrative tools; Petya attempts to use one tool and tries the next tool if the first is not successful.

EternalBlue is the same exploit used by WannaCry ransomware in May. The exploit is believed to have been developed by  the NSA and released to tje world  by hackers. On March 14, 2017, Microsoft issued a security bulletin detailing the flaw and announced that patches had been released for all Windows versions that were currently supported at that time. In May, Microsoft released a patch for older operating systems in response to the Wanna cry attack. Unfortunately, not everyone will have installed it the patches.


Petya ransomware infects computers and waits about an hour before rebooting the imfected computer. While the compuyer reboots, a user should turn the computer off to prevent the files from being encrypted. Afterward, a tech can rescue the umemcrypted files from the hard drive. 

If your computer reboots to display the ransom note, DO NOT pay the ransom. The “customer service” email address used by the criminals behind this attack was shut down by the service proviser. As a result, no one will send the decryption key to unlock your files. 

Disconnect your computer from the internet, and bring it to Digital Age Solution.  Our techs will reformat the hard drive, reinstall Windows, and recover your files from a backup

If you have not done so already, sign up for DAD Safe and Secure. We automatically back up your files with version recovery constantly, protect your system with up to date Internet security and anti-virus software, and install updates and patches yo keep your computer up to date.

Safe World

Summer vacation begins next week for most students in Frederick County. This summer, kids have access to more information than ever before with technology.

It can be a scary and dangerous place in the world wide web.

Digital Age Solution can help make it a “Safe World” with our services and recommended hardware and software.

We make on-site service calls to secure your world: At Home, At Work, Anywhere you need us.

DAS VOIP Saves Doctor’s Office Money and Increases Efficiency

Digital Age Solution brought one local pediatrician’s office into the Digital Age with DAS VOIP and an upgraded network this week.

“Our bill went down and this system is so much more powerful,” the office manager exclaimed as we demonstrated their new DAS VOIP Cloud PBX.

DAS VOIP’s Cloud PBX provides a robust phone system that is housed on our servers. This allows customers to free up space, save on electricity, and not worry about equipment in their office. The system includes voicemail, virtual attendants, time-based routing, caller id routing, unified communications, and so much more.

It also provides disaster recovery and flexibility. Our customers can connect their phones to any Internet connection and get online, or use our ClickConnex App on their smartphones.

The pediatrician’s office staff quickly learned how efficient the system is in their daily routines. Transferring calls, accessing messages, and visualizing phone calls on the DAS VOIP web site are very easy. Time-based rules eliminated having to transfer calls to the phone service, or switching messages at lunch time and the end of the day.

If you’d like to see how we can save you time and money, contact us for a Digital Age Solution!

WannaCry Ransomware Strikes Worldwide

Computers and networks around the world fell victim to WannaCry ransomware over the past two days. The attack successfully shut down hospitals, transit systems, and businesses in every point of the globe. The threat significantly affected the United Kingdom, Taiwan, Chile and Japan.

Last year, hackers announced that they had hacked and downloaded tools from the NSA. One of the tools acquired utilizes a vulnerability to attack (code named EternalBlue).

The vulnerability drops a file on the vulnerable system which executes as a service. The service then drops the actual ransomware file onto the affected system, encrypting files with the .WNCRY extension. A separate component file for displaying the ransom note would also be dropped.

The ransomware encrypts files with a total of 166 extensions, including those commonly used by Microsoft Office, databases, file archives, multimedia files, and various programming languages.

To spread to other systems, it uses the file that was dropped and runs as a service. The service uses the name “Microsoft Security Center (2.0)“. This service scans for other SMB shares on the network, and uses the EternalBlue vulnerability to spread to other systems.

Figure 3. Added service

Microsoft already patched supported Windows operating systems to address the SMBv1 vulnerability used in this attack in March. Even before that, in September 2016 Microsoft strongly urged users to migrate away from SMBv1, which dates back to the early 1990s. US-CERT issued similarly strong recommendations as well. Organizations that had followed best practices—both in patching and in proper configuration of SMB services—would not be affected by this attack.

The infected machines either do not have the patch installed or still operate the Windows XP, Vista, or Windows 8 operating systems.

In the wake of the largest ransomware attack in the history that has already infected over 114,000 Windows systems worldwide in the last twenty-four hours, Microsoft just took an unusual step to protect its customers with out-of-date computers. Microsoft just released an emergency security patch update for all its unsupported version of Windows, including Windows XP, Vista, Windows 8, Server 2003 and 2008 Editions.

Digital Age Solution customers with DAS Safe & Secure contracts do not have to worry!

Our security software identifies and blocks this threat and file encryption regardless of your operating system.

DAS Sync protects against ransomware by keeping file history back-ups on our cloud servers. We can easily recover files for customers.

DAS Remote Monitoring and Management also applies patches to protect our customer’s computers. For outdated systems, we have already pushed the new update to computers.

If you want to be sure your systems are protected with DAS Safe & Secure, contact us to get Safe and Secure.

Bringing 21st Century to Old Space

We’ve been working with one of our customers and our partners to update a very old space in Downtown Frederick for use in the Digital Age! The space features great old lumber, art deco metal work, and tons of character.

Now, the space is ready for meetings, trainings, and conferences with wireless network access, Voice Over IP phones and conference phones, 70″ monitors on the walls, and wireless HDMI to allow anyone to quickly connect from laptops, tablets, and even smart phones.

We’ll post some more photos of the Digital Age Solution for this retrofit of an amazing space soon!

Here’s How Easy It Is to Get Trump Officials to Click on a Fake Link in Email

With the recent Google Docs phishing scheme and all the hacks of politicians, one would hope for a higher level of suspicion when it comes to emails with links. 

Gizmodo demonstrated the lack of suspicion within one group who should really be on heightened awareness,  White House officials and advisors.

http://gizmodo.com/heres-how-easy-it-is-to-get-trump-officials-to-click-on-1794963635

These phishing attacks represent a large percentage of security hacks. It is much easier to trick users into giving access than actually hacking devices or networks.

Remember to always err on the side of caution. If someone wants to share a document with you, verify the email address, the link’s URL, or ask Digital Age Solution. We are happy to help protect you and your information.

Be Prepared for Storms

This week, we’ve seen our first computers of the season to be damaged by lightning!

As the weather gets warmer, thunderstorms crop up a lot more often. With them, damaging lightning strikes wreak havoc on sensitive electronics, like your valuable information technology systems.

Often, Digital Age Solution technicians can swap out a power supply and get you back up and running. Other times, the electrical surges rush through to the motherboard or other parts of the computer equipment.

These can be costly repairs.

Help protect your technology with a Digital Age Solution. Our technicians can help you choose the right equipment for your situation. From surge protectors to unlimited power supplies, each has a specific use and provides a different level of protection.

If you’ve already fell victim of the storms, give us a call and we’ll get you back up and running!

Google Phishing Attack

If someone invites you to edit a file in Google Docs today, don’t open it — it may be spam from a phishing scheme that’s been spreading quickly this afternoon. As detailed on Reddit, the attack sends targets an emailed invitation from someone they may know, takes them to a real Google sign-in screen, then asks them to “continue to Google Docs.” But this grants permissions to a (malicious) third-party web app that’s simply been named “Google Docs,” which gives phishers access to your email and address book.

The key difference between this and a very simple email phishing scheme is that this doesn’t just take you to a bogus Google page and collect your password — something you could detect by checking the page URL. It works within Google’s system, but takes advantage of the fact that you can create a non-Google web app with a misleading name. Here’s what the permissions screen looks like, for example:

Google Docs phishing screen

If you check the title for developer information, though, you’ll get something like this:

Gdocs Phishing attempt

  •  If you’ve clicked the link, your account may have already sent spam messages to the people in your address book. But you can revoke future access through Google’s “Connected Apps and Sites” page; where it will appear as “Google Docs.”
  • Google Docs phishing access

Laundry . . . There’s an App for That!

With Samsung’s newest washer and dryer, you can control your laundry with an app. The Internet of Things is here in the Digital Age.