Attacks/Breaches

10/24/2017
04:25 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

'Bad Rabbit' Ransomware Attacks Rock Russia, Ukraine - and Beyond

Attack employs new version of infamous NotPetya ransomware used in June attacks on Ukraine targets.

A wave of ransomware infections is hitting hundreds of government, media, transportation, and other targets in Eastern Europe today mainly in Russia and Ukraine, but also in Bulgaria, Germany, and Turkey.

Among the most high-profile targets thus far are major news outlets such as Russia's Interfax Agency, and Ukraine's Kiev Metro, its Odessa International Airport, and ministries of infrastructure and finance.

US-CERT said today that is has received "multiple reports" of Bad Rabbit infections from "many countries," and says victims should not pay the ransom because it doesn't guarantee the attackers will release the hijacked, locked-down data.

Ukraine was on alert for the attacks, as its Security Service and CERT earlier this month had warned of a possible large cyberattack akin to NotPetya to occur in conjuction with its Defender of Ukraine Day holiday.

Details about the attacks are trickling in as researchers drill down on the malware and its attack vectors, but researchers at ESET say the malware used in the Kiev Metro attack is Diskcoder.D, a new variant of the infamous Petya. The most recent version of Diskcoder was used in a ransomware campaign that spread around the world in June.

Researchers at Kaspersky Lab say the dispci.exe file found in the malware seems to originate from the code base of open-source encryption tool DiskCryptor, a legitimate tool for encrypting disk and system partitions. "It acts as the disk encryption module which also installs the modified bootloader and prevents the normal boot-up process of the infected machine," Kaspersky researchers Orkhan Mamedov, Fedor Sinitsyn, and Anton Ivanov wrote in a blog post today.

They also noticed the attackers appear to be fans of "Game of Thrones," based on code strings that include names of characters from the popular book and HBO series.

Although Bad Rabbit is a relatively widespread ransomware campaign, don't expect it to be another WannaCry. Robert Lipovsky, senior malware researcher with security vendor ESET, which has been studying the attacks, says the ransomware campaign won't likely spread like WannaCry did.

"Considering the infection capabilities we discovered in the samples, spreading outside Ukraine is theoretically possible but much less likely than in the June NotPetya case, due to the lack of EternalBlue spreading mechanism," he says, referring to the SMB-worm style attack used in WannaCry to spread like wildfire around the globe.

Instead, Bad Rabbit employs hardcoded stolen credentials via SMB, first by remotely stealing passwords from infected machines via the Mimikatz password-extraction tool, and using a username/password list that's hardcoded in the binary code.

There's also a phony Adobe Flash Player connection: a dropper of Diskcoder.D that poses as a Flash Player installer. ESET spotted that on major news websites in Russia and Ukraine, Lipovsky notes. "While this may very well be an infection vector, it is doubtful that this was the main infection vector … and quite possibly a smokescreen."

Bad Rabbit ransom message
Source: ESET

Bad Rabbit ransom message

Source: ESET

Researchers at Kaspersky say their telemetry shows a drive-by attack is the initial attack vector, and it's a targeted attack campaign. "Our observations suggest that this been a targeted attack against corporate networks, using methods similar to those used during the ExPetr attack," they say, referring to the June attacks.

"The ransomware dropper was distributed with the help of drive-by attacks. While the target is visiting a legitimate website, a malware dropper is being downloaded from the threat actor’s infrastructure," according to Kaspersky. "No exploits were used, so the victim would have to manually execute the malware dropper, which pretends to be an Adobe Flash installer."

Adam Meyers, vice president of intelligence at CrowdStrike, says Bad Rabbit appears to have been served up via the argumentiru.com website, a Russian and Eastern European news and celebrity gossip site. "CrowdStrike Intelligence can confirm that this website was hosting a malicious JavaScript inject as part of a Strategic Web Compromise (SWC) attack on 24 October 2017," Meyers said in statement.

CrowdStrike also found more proof of a link to the NotPetya attackers: Bad Rabbit and NotPetya DLLs "share 67% of the same codebase, which makes it likely that the same threat actor is behind both attacks," Meyers said in a tweet late today.

Related Content:

 

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
10/30/2017 | 7:39:38 AM
Re: The person behind
Group IB out of Russia says it's "highly likely" the attackers behind Bad Rabbit are the same ones who launched NotPetya in June of 2017 against Ukraine energy, financial, and telecommunciations organizations.
Mr Phen375
50%
50%
Mr Phen375,
User Rank: Apprentice
10/28/2017 | 1:52:47 AM
The person behind
Anyone knows who is behind "Bad Rabbit" Ransomware?
jtemme
100%
0%
jtemme,
User Rank: Strategist
10/27/2017 | 3:30:52 PM
Re: Bad Rabbit Ransomware
Nice share!
jtemme
50%
50%
jtemme,
User Rank: Strategist
10/27/2017 | 3:20:25 PM
Re: Backup and Restore Protocols ONCE AGAIN
Right, the person I was replying to has deleted their posts so my reply may seem out of context but your comments about isolating systems is on piont, as well as your mention of prevention so the down time doesn't occur is the first place.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
10/27/2017 | 1:27:53 PM
Re: Adobe Flash installer?
Flash just won't die. =/
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/27/2017 | 1:16:46 PM
Adobe Flash installer?
 

"No exploits were used, so the victim would have to manually execute the malware dropper, which pretends to be an Adobe Flash installer."

Does anybody still install Adobe Flash installer? I though it is already dead. I guess will see it for a while.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/27/2017 | 1:15:00 PM
Re: Bad Rabbit Ransomware
"Bad Rabbit Ransomware"

As like the others, ransomware players think that this is a very lucrative job, so it will never stop.
Dr.T
100%
0%
Dr.T,
User Rank: Ninja
10/27/2017 | 1:13:35 PM
Re: Backup and Restore Protocols ONCE AGAIN
"length of time this could cause widespread travel delays and numerous other problems"

I agree, that is one of the reasons is prevention strategies rather than recovery methods after the attack has to be focus.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/27/2017 | 1:11:40 PM
Re: Backup and Restore Protocols ONCE AGAIN
"Backup and Restore Protocols "
I think backup and restores is less likely a solution here, it needs to be isolated systems to avoid troubles after ransomware attack. To prevent it , that is another game.
Dr.T
100%
0%
Dr.T,
User Rank: Ninja
10/27/2017 | 1:08:08 PM
Kaspersky
Obviously Kaspersky is in the new lately a lot. They may be in a real trouble now.
Page 1 / 2   >   >>
White House Cybersecurity Strategy at a Crossroads
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/17/2018
The Fundamental Flaw in Security Awareness Programs
Ira Winkler, CISSP, President, Secure Mentem,  7/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-14492
PUBLISHED: 2018-07-21
Tenda AC7 through V15.03.06.44_CN, AC9 through V15.03.05.19(6318)_CN, and AC10 through V15.03.06.23_CN devices have a Stack-based Buffer Overflow via a long limitSpeed or limitSpeedup parameter to an unspecified /goform URI.
CVE-2018-3770
PUBLISHED: 2018-07-20
A path traversal exists in markdown-pdf version <9.0.0 that allows a user to insert a malicious html code that can result in reading the local files.
CVE-2018-3771
PUBLISHED: 2018-07-20
An XSS in statics-server <= 0.0.9 can be used via injected iframe in the filename when statics-server displays directory index in the browser.
CVE-2018-5065
PUBLISHED: 2018-07-20
Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 and earlier, and 2015.006.30418 and earlier versions have a Use-after-free vulnerability. Successful exploitation could lead to arbitrary code execution in the context of the current user.
CVE-2018-5066
PUBLISHED: 2018-07-20
Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 and earlier, and 2015.006.30418 and earlier versions have an Out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.