Code flaws in BadRabbit aid file recovery

By on
Code flaws in BadRabbit aid file recovery

Malware uses NSA exploit to spread.

Victims of the BadRabbit ransomware may be able to recover their scrambled files in certain circumstances thanks to coding mistakes made by the malware's authors.

Security vendor Kaspersky Lab discovered that BadRabbit does not delete the password it generates when it encrypts victims' hard disks and files from the computer's memory.

"... there is a slim chance to extract it before the dispci.exe [encryption] process terminates," Kaspersky's researchers wrote.

However, if the system is rebooted, the key in memory will be erased. Without the 2048-bit key, there's no way to decrypt the scrambled data.

Additionally, BadRabbit doesn't attempt to delete the Windows Shadow Copy back-up files, the firm found.

If Shadow Copies are enabled prior to the BadRabbit strike, they can be used to restore original versions of the encrypted files through Windows or through third-party utilities.

BadRabbit and NotPetya one and the same

Further analysis of the malware by Cisco's Talos security researchers has found BadRabbit uses the EternalRomance exploit in a similar fashion to the NotPetya worm.

EternalRomance is one of several exploits leaked by the ShadowBrokers group of hackers that belonged to an organisation linked to the US National Security Agency.

The exploit targets vulnerable versions of Microsoft's Server Message Block (SMB) file sharing protocol, and is used by BadRabbit and NotPetya to move laterally across networked Windows systems.

Talos said the EternalRomance implementation for BadRabbit is similar to the Python-language implementation used by NotPetya.

The key difference between EternalRomance in BadRabbit and NotPetya is in BadRabbit the exploit is used to overwrite the kernel session security context in order to launch remote services.

In NotPetya, EternalRomance was used to install the DoublePulsar backdoor, an NSA-linked exploit also leaked by ShadowBrokers.

Talos said it was confident that BadRabbit had been built using the same code base as NotPetya. It also said both malware strains used a similar tool chain for assembly.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
bad rabbit badrabbit malware notpetya petya ransomware security

Sponsored Whitepapers

Tomago Aluminium improves SAP environment performance, security with Red Hat and IBM
Tomago Aluminium improves SAP environment performance, security with Red Hat and IBM
Future of work: Support your distributed HR workforce with digital document processes
Future of work: Support your distributed HR workforce with digital document processes
Develop a resiliency strategy that integrates risk analysis & continuity management
Develop a resiliency strategy that integrates risk analysis & continuity management
IBM Maximo: Manage any asset, anytime, any place with mobile EAM
IBM Maximo: Manage any asset, anytime, any place with mobile EAM
Optimise your operations with APM and AI-Powered insights
Optimise your operations with APM and AI-Powered insights

Events

Most Read Articles

Westpac replaces branch phone systems with iPhones, Teams Calling

Westpac replaces branch phone systems with iPhones, Teams Calling
Westpac loses its group head of data and advanced analytics

Westpac loses its group head of data and advanced analytics
NBN Co to charge free fibre recipients that don't stick with higher speed plans

NBN Co to charge free fibre recipients that don't stick with higher speed plans
CBA to rebrand its internal IT organisation

CBA to rebrand its internal IT organisation

Log In

Email:
Password:
  |  Forgot your password?