{"id":4326,"date":"2017-10-25T11:03:36","date_gmt":"2017-10-25T08:03:36","guid":{"rendered":"https:\/\/www.kaspersky.com.tr\/blog\/?p=4326"},"modified":"2019-11-15T14:47:26","modified_gmt":"2019-11-15T11:47:26","slug":"bad-rabbit-ransomware","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.tr\/blog\/bad-rabbit-ransomware\/4326\/","title":{"rendered":"Bad Rabbit: Yeni bir fidye yaz\u0131l\u0131m\u0131 salg\u0131n\u0131 y\u00fckseli\u015fe ge\u00e7iyor"},"content":{"rendered":"

Bu yaz\u0131, uzmanlar\u0131m\u0131z k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131mla ilgili yeni ayr\u0131nt\u0131lar elde ettik\u00e7e g\u00fcncellenmektedir.<\/strong><\/p>\n

Bu y\u0131l iki b\u00fcy\u00fck \u00f6l\u00e7ekli fidye yaz\u0131l\u0131m\u0131 salg\u0131n\u0131yla kar\u015f\u0131la\u015fm\u0131\u015ft\u0131k: WannaCry<\/a> ve ExPetr<\/a> (Petya ve NotPetya olarak da bilinir) salg\u0131nlar\u0131ndan bahsediyoruz. G\u00f6r\u00fcn\u00fc\u015fe g\u00f6re \u00fc\u00e7\u00fcnc\u00fc bir salg\u0131n kap\u0131da: Yeni k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131ma Bad Rabbit (Yaramaz Tav\u015fan) ad\u0131 veriliyor. Daha do\u011frusu, fidye yaz\u0131l\u0131m\u0131 notuyla ba\u011flant\u0131l\u0131 darknet web sitesinin belirtti\u011fi isim bu.<\/p>\n

\u015eu anda Bad Rabbit fidye yaz\u0131l\u0131m\u0131n\u0131n baz\u0131 b\u00fcy\u00fck Rus medya kurulu\u015flar\u0131n\u0131 etkiledi\u011fi biliniyor. Interfax haber ajans\u0131 ve Fontanka.ru onaylanan kurbanlar aras\u0131nda yer al\u0131yor. Odessa Uluslararas\u0131 Havaliman\u0131 bilgi sistemine bir siber sald\u0131r\u0131 yap\u0131ld\u0131\u011f\u0131n\u0131 bildirdi ancak bunun ayn\u0131 sald\u0131r\u0131 olup olmad\u0131\u011f\u0131 hen\u00fcz netlik kazanm\u0131\u015f de\u011fil.<\/p>\n

Bad Rabbit sald\u0131r\u0131lar\u0131n\u0131n ard\u0131ndaki su\u00e7lular, fidye olarak 0,05 bitcoin istiyor, ki bu rakam mevcut kur oran\u0131nda yakla\u015f\u0131k 280 ABD dolar\u0131na tekab\u00fcl ediyor. Hi\u00e7 T\u00fcrk Liras\u0131na \u00e7evirmekle u\u011fra\u015fmay\u0131n, biz s\u00f6yleyelim, 1044\u20ba ediyor.<\/p>\n

\"\"<\/p>\n

Bulgular\u0131m\u0131za g\u00f6re sald\u0131r\u0131, a\u00e7\u0131klardan yararlanma yaz\u0131l\u0131m\u0131 kullanm\u0131yor. Bu bir indirme sald\u0131r\u0131s\u0131: Kurbanlar, etkilenmi\u015f web sitelerinden sahte bir Adobe Flash y\u00fckleyicisi indiriyor ve .exe dosyas\u0131n\u0131 manuel olarak \u00e7al\u0131\u015ft\u0131rd\u0131klar\u0131nda kendileri de sald\u0131r\u0131dan etkilenmi\u015f oluyor. Ara\u015ft\u0131rmac\u0131lar\u0131m\u0131z tamam\u0131 haber veya medya siteleri olmak \u00fczere g\u00fcvenli\u011fi tehlikede olan bir\u00e7ok web sitesi tespit etti.<\/p>\n

Bad Rabbit\u2019in \u015fifreledi\u011fi dosyalar\u0131 geri alman\u0131n (fidyeyi \u00f6deyerek veya fidye yaz\u0131l\u0131m\u0131 kodundaki baz\u0131 kusurlar\u0131 kullanarak) m\u00fcmk\u00fcn olup olmad\u0131\u011f\u0131 hen\u00fcz bilinmiyor. Kaspersky Lab antivir\u00fcs uzmanlar\u0131 sald\u0131r\u0131y\u0131 ara\u015ft\u0131r\u0131yor. Biz de ara\u015ft\u0131rmac\u0131lar\u0131n bulgular\u0131 do\u011frultusunda bu yaz\u0131y\u0131 g\u00fcncelleyece\u011fiz.<\/p>\n

Verilerimize g\u00f6re bu sald\u0131r\u0131lar\u0131n kurbanlar\u0131n\u0131n \u00e7o\u011fu Rusya\u2019da bulunuyor. Ukrayna, T\u00fcrkiye ve Almanya\u2019da benzer fakat daha az say\u0131da sald\u0131r\u0131 oldu\u011funu g\u00f6rd\u00fck. Bu fidye yaz\u0131l\u0131m\u0131, hacklenmi\u015f birka\u00e7 Rus medya web sitesi \u00fczerinden cihazlar\u0131 etkiledi. Ara\u015ft\u0131rmam\u0131za g\u00f6re bu, ExPetr sald\u0131r\u0131s\u0131nda kullan\u0131lan y\u00f6ntemlere benzer y\u00f6ntemler kullan\u0131larak \u015firket a\u011flar\u0131na kar\u015f\u0131 yap\u0131lan hedefli bir sald\u0131r\u0131. Ancak ExPetr ile ili\u015fkili olup olmad\u0131\u011f\u0131n\u0131 do\u011frulayam\u0131yoruz. Ara\u015ft\u0131rmalar\u0131m\u0131z s\u00fcr\u00fcyor. Ara\u015ft\u0131rmalar\u0131m\u0131z s\u00fcrerken Securelist<\/a> \u00fczerindeki bu yaz\u0131da teknik ayr\u0131nt\u0131lar\u0131 inceleyebilirsiniz.<\/p>\n

Ara\u015ft\u0131rmac\u0131lar\u0131m\u0131z Bad Rabbit sald\u0131r\u0131lar\u0131n\u0131, bu y\u0131l Haziran ay\u0131nda yap\u0131lan ExPetr sald\u0131r\u0131lar\u0131na ba\u011flayabilecek yeterli kan\u0131t buldu. Analizlere g\u00f6re, Bad Rabbit\u2019te kullan\u0131lan baz\u0131 kodlar daha \u00f6nce ExPetr\u2019da g\u00f6r\u00fcld\u00fc.<\/p>\n

Di\u011fer benzerlikler aras\u0131nda, sald\u0131r\u0131 s\u0131ras\u0131nda ayn\u0131 domain kullan\u0131lmas\u0131 bulunuyor. Baz\u0131 domainler Haziran\u2019da hacklenmi\u015f ancak kullan\u0131lmam\u0131\u015ft\u0131. Ayr\u0131ca bu zararl\u0131 yaz\u0131l\u0131m\u0131 kurumsal a\u011flarda da\u011f\u0131tmak i\u00e7in kullan\u0131lan teknik de ayn\u0131 \u2013 iki sald\u0131r\u0131 da Windows Management Instrementation Command-line (WMIC) kulland\u0131. Ancak farkl\u0131l\u0131klar\u0131 da var: ExPetr\u2019\u0131n aksine, Bad Rabbit, EternalBlue a\u00e7\u0131\u011f\u0131n\u0131 veya ba\u015fka bir a\u00e7\u0131\u011f\u0131 kullanm\u0131yor.<\/p>\n

Uzmanlar\u0131m\u0131z iki sald\u0131r\u0131n\u0131n arkas\u0131nda da ayn\u0131 sald\u0131rganlar\u0131n oldu\u011funu ve Bad Rabbit sald\u0131r\u0131s\u0131n\u0131 2017 Temmuz\u2019dan veya daha \u00f6nceden beri planlad\u0131klar\u0131n\u0131 d\u00fc\u015f\u00fcn\u00fcyorlar. Ara\u015ft\u0131rmam\u0131za devam ediyoruz. Bu s\u0131rada daha fazla teknik detay i\u00e7in Securelist<\/a> g\u00f6nderimize g\u00f6z atabilirsiniz. <\/p>\n

Kaspersky Lab \u00fcr\u00fcnleri sald\u0131r\u0131y\u0131 a\u015fa\u011f\u0131daki kararla tespit ediyor: UDS:DangerousObject.Multi.Generic (Kaspersky Security Network taraf\u0131ndan tespit edilir), PDM:Trojan.Win32.Generic (System Watcher taraf\u0131ndan tespit edilir) ve Trojan-Ransom.Win32.Gen.ftl.<\/p>\n\n

Bad Rabbit kurban\u0131 olmaktan ka\u00e7\u0131nmak i\u00e7in:<\/p>\n

Kaspersky Lab \u00fcr\u00fcnleri kullan\u0131c\u0131lar\u0131:<\/p>\n