BadRabbit Ransomware and How to Stay Secure

Since the morning of October 24th, a new ransomware attack named BadRabbit began spreading through Russia, Ukraine, and on a smaller scale in Germany and Turkey. Among the affected networks were Ukraine’s Ministry of Infrastructure, Kiev’s public transportation system, the Russian news service Interfax and others.

It seems that the attack is based on user deception, rather than exploitation of a vulnerability. While a user is browsing a legitimate Russian news site the user is transferred to a site controlled by the attackers (a watering hole attack). This site requires the victim to download and install a bogus Adobe Flash installer file, through which the user unknowingly infects his or her’s own machine. Meaning, the user himself must initiate the ransomware’s activation, as it does not activate automatically.



KELA recommends taking the following steps, to ensure your network’s security:

  • Update any anti virus engines at endpoints, servers and email servers.
  • Create a file named “c:\windows\cscc.dat” or “c:\windows\infpub.dat” and remove all write permissions including the inheritance permission which could prevent infection

Additional steps for enterprises:

  • Block traffic from the ransomware’s distribution servers whose domain is hxxp:/1dnscontrol[.]com or the IP 5[.]61[.]37[.]209
  • It is recommended to prevent users from downloading EXE files directly to their end points by using appropriate proxy settings.
  • If possible, prevent SMB traffic between user end points in the organization. SMB traffic should only be performed between users and different servers.
  • If the organization has any VPN connected to networks in Ukraine, it is recommended to increase the monitoring on this link and consider neutralizing it until the extent of the attack becomes clear.
  • Utilize a user management mechanism with local administrator privileges in user end points, so that each end point has a different password that changes with some frequency.

KELA has identified several Indicators of Compromise:

  • 1dnscontrol[.]com (5[.]61[.]37[.]209)
  • hxxp:/
  • hxxp:/
    • md5: b14d8faf7f0cbcfad051cefe5f39645f
    • sha1: afeee8b4acff87bc469a6f0364a81ae5d60a2add
    • sha256: 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93
  • Dropper
    • md5: fbbdc39af1139aebba4da004475e8839
    • sha1: de5c8d858e6e41da715dca1c019df0bfb92d32c0
    • sha256: 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

About Kela and the RaDark

KELA Targeted Cyber Intelligence is a leading provider of targeted cyber intelligence, based in Tel Aviv, Israel. We specialize in providing our clients with intelligence about cyber threats that are specifically targeting them (exposed IT systems, breached employee credentials, product vulnerabilities etc.). We do this using the RaDark technology that we’ve developed – an automated cloud based technology, which uses custom-built web crawlers for continuously monitoring Darknet sources. In addition, our defense-force trained intelligence analysts provide tailored reporting and incident response services, acting as a real time extension of the clients’ team. Our intelligence is used by some of the world’s largest banks, telecoms, auto manufacturers and more.


Cyber criminals and their techniques evolve at nearly the same pace as the available technology. As 3D printing technology advances, scammers no longer need to find creative ways to manufacture their tools – now they can print them in the comfort of their own homes.

Credit card skimmers are not new to the cyber criminal world (a few great examples can be seen in Krebs on Security. These are devices that cyber criminals attach over the original card readers on ATMs to collect financial information for fraudulent use. As a card passes through it, the skimmer reads the card’s magnetic strip, collecting information. While most often skimmers consist of only the card reader itself, they can be also used in tandem with a small camera or a keypad overlay to catch the customer’s PIN code. Thus, fraudsters can obtain data from hundreds or even thousands of credit cards per day.

3D Printable Skimmer 1


Japan taking cues from Israel on cybersecurity

Recently Kela has been helping more and more clients in Japan deal with the increasing cyber threats that face them. Kela has performed several successful deployments in Japan, using the automated RaDark system, for continuously scanning Dark Net sources, and alerting clients about threats targeting their organizations.

Read about Kela’s activities and the Japan market situation in a recent 8458809101 that was published in the Nikkei Asian Review.

RaDark screens




私どものシステをあまりご存知でないお客様も多いと思います。RaDarkのVisual Reconnaissanceモジュールは完全に外部のインテリジェンスベースのシステムのため、スキャンを実行せずにネットワークの脆弱性を継続的に監視することができます。



そして今からドメイン、サブドメインに入っていきます。そして、RaDarkが見つけた脆弱性のあるシステムの中に入っていきます。これらのシステムの中にWannaCry攻撃の影響を受けるシステムの1つであるWindows Server 2003があります

Windows 8.1の場合を紹介します。

他にも見れるのは、ポート445のSMBの脆弱性です。これは、WannaCry攻撃のShadow Brokersツールセットによって悪用された実際の脆弱性です。この場合、同じホストにWindows Serverを使用していると、外部の攻撃者がマシンににアクセスできるRDPポートが開いている状態です。

最後にコンタクトリストをお見せしたいと思います。 ここ、radarkのエクスポートセクションでは、radakがダークネット上で見つけた、御社の全ての連絡先が入ったCSVファイルをみることができます。 wannacry はスピアフィッシング攻撃を介して企業のネットワークに侵入するため、この連絡先リストを追跡することが重要となります。

私たちはこの攻撃を厳重に追跡しづけ、お客様に新しい状況の更新をしていきます。 専用のインテリジェンスモニターをRadarkシステムに作り、このモニターはお客様皆様に使用していただくことができます。この攻撃に関する全てのダークネット情報を取り入れるよう構成されています。


Let’s Talk Targeted Threat Intelligence

HLS & Cyber Netherlands and InfoSEC 2017

Come meet our experts and see how KELA’s RaDark technology can help protect your organization by providing the most targeted threat intelligence available

  • Threat intelligence covering all angles of attack
  • Only about you – nothing generic. Your organization. Your systems. Your employees.
  • The most critical information from the most critical sources

We look forward to seeing you! 562-637-1264 to schedule a meeting or visit our website to learn more.

Infosecurity Europe | 06-08 June 2017 | Olympia, London

Cyber & HLS Netherlands | 22 June 2017 | Rotterdam

Spear-phishing targeting specific Israeli targets

Tonight on i24 News, KELA Targeted Cyber Intelligence’s COO, Mr. Yakir Bechler, explained the recent attempt for a broad attack on Israeli targets. This coordinated attack was exposed by 707-758-8947. The threat actor used spear-phishing targeting specific Israeli targets, aiming to inject malware which exploits a vulnerability in Microsoft Office (CVE-2017-0199). For now it seems the attackers were successful in breaching two Israeli entities (one research institute and one commercial entity), and continued attacking more targets using the compromised machines.

The (617) 516-1045, developed by KELA Targeted Cyber Intelligence, provides our clients intelligence about threats specifically targeting them, allowing them to be one step ahead of threat actors.

To learn more about KELA, click here.

Threat Actors use the Dark Web to hide

This interesting torrentine article demonstrates how threat actors and terrorists use the Dark Web to plan attacks in an encrypted environment. In the Dark Web forums, they collaborate and share methods of avoiding law enforcement surveillance when planning a physical or a cyber attack.

This strategy prevents law enforcement’s ability to use the traditional surveillance technologies on known threat actors. As the article says: “Deeper and harder to get at is what’s known as the Dark Web, the hidden portion of the Internet that’s only available through specialized browsers. It’s not really a single entity but instead thousands of sites, most encrypted and all available only to those with information about how to find them and how to access them.”

KELA Targeted Cyber Threat Intelligence’s RaDark has the access to the deepest and encrypted corners of the Dark Web, and provides targeted actionable intelligence to prevent the next attack. – Terrorists use the Dark Web to hide