Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/24/2017
04:25 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

'Bad Rabbit' Ransomware Attacks Rock Russia, Ukraine - and Beyond

Attack employs new version of infamous NotPetya ransomware used in June attacks on Ukraine targets.

A wave of ransomware infections is hitting hundreds of government, media, transportation, and other targets in Eastern Europe today mainly in Russia and Ukraine, but also in Bulgaria, Germany, and Turkey.

Among the most high-profile targets thus far are major news outlets such as Russia's Interfax Agency, and Ukraine's Kiev Metro, its Odessa International Airport, and ministries of infrastructure and finance.

US-CERT said today that is has received "multiple reports" of Bad Rabbit infections from "many countries," and says victims should not pay the ransom because it doesn't guarantee the attackers will release the hijacked, locked-down data.

Ukraine was on alert for the attacks, as its Security Service and CERT earlier this month had warned of a possible large cyberattack akin to NotPetya to occur in conjuction with its Defender of Ukraine Day holiday.

Details about the attacks are trickling in as researchers drill down on the malware and its attack vectors, but researchers at ESET say the malware used in the Kiev Metro attack is Diskcoder.D, a new variant of the infamous Petya. The most recent version of Diskcoder was used in a ransomware campaign that spread around the world in June.

Researchers at Kaspersky Lab say the dispci.exe file found in the malware seems to originate from the code base of open-source encryption tool DiskCryptor, a legitimate tool for encrypting disk and system partitions. "It acts as the disk encryption module which also installs the modified bootloader and prevents the normal boot-up process of the infected machine," Kaspersky researchers Orkhan Mamedov, Fedor Sinitsyn, and Anton Ivanov wrote in a blog post today.

They also noticed the attackers appear to be fans of "Game of Thrones," based on code strings that include names of characters from the popular book and HBO series.

Although Bad Rabbit is a relatively widespread ransomware campaign, don't expect it to be another WannaCry. Robert Lipovsky, senior malware researcher with security vendor ESET, which has been studying the attacks, says the ransomware campaign won't likely spread like WannaCry did.

"Considering the infection capabilities we discovered in the samples, spreading outside Ukraine is theoretically possible but much less likely than in the June NotPetya case, due to the lack of EternalBlue spreading mechanism," he says, referring to the SMB-worm style attack used in WannaCry to spread like wildfire around the globe.

Instead, Bad Rabbit employs hardcoded stolen credentials via SMB, first by remotely stealing passwords from infected machines via the Mimikatz password-extraction tool, and using a username/password list that's hardcoded in the binary code.

There's also a phony Adobe Flash Player connection: a dropper of Diskcoder.D that poses as a Flash Player installer. ESET spotted that on major news websites in Russia and Ukraine, Lipovsky notes. "While this may very well be an infection vector, it is doubtful that this was the main infection vector … and quite possibly a smokescreen."

Bad Rabbit ransom message
Source: ESET

Bad Rabbit ransom message

Source: ESET

Researchers at Kaspersky say their telemetry shows a drive-by attack is the initial attack vector, and it's a targeted attack campaign. "Our observations suggest that this been a targeted attack against corporate networks, using methods similar to those used during the ExPetr attack," they say, referring to the June attacks.

"The ransomware dropper was distributed with the help of drive-by attacks. While the target is visiting a legitimate website, a malware dropper is being downloaded from the threat actor’s infrastructure," according to Kaspersky. "No exploits were used, so the victim would have to manually execute the malware dropper, which pretends to be an Adobe Flash installer."

Adam Meyers, vice president of intelligence at CrowdStrike, says Bad Rabbit appears to have been served up via the argumentiru.com website, a Russian and Eastern European news and celebrity gossip site. "CrowdStrike Intelligence can confirm that this website was hosting a malicious JavaScript inject as part of a Strategic Web Compromise (SWC) attack on 24 October 2017," Meyers said in statement.

CrowdStrike also found more proof of a link to the NotPetya attackers: Bad Rabbit and NotPetya DLLs "share 67% of the same codebase, which makes it likely that the same threat actor is behind both attacks," Meyers said in a tweet late today.

Related Content:

 

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
10/30/2017 | 7:39:38 AM
Re: The person behind
Group IB out of Russia says it's "highly likely" the attackers behind Bad Rabbit are the same ones who launched NotPetya in June of 2017 against Ukraine energy, financial, and telecommunciations organizations.
Mr Phen375
50%
50%
Mr Phen375,
User Rank: Apprentice
10/28/2017 | 1:52:47 AM
The person behind
Anyone knows who is behind "Bad Rabbit" Ransomware?
jtemme
100%
0%
jtemme,
User Rank: Strategist
10/27/2017 | 3:30:52 PM
Re: Bad Rabbit Ransomware
Nice share!
jtemme
50%
50%
jtemme,
User Rank: Strategist
10/27/2017 | 3:20:25 PM
Re: Backup and Restore Protocols ONCE AGAIN
Right, the person I was replying to has deleted their posts so my reply may seem out of context but your comments about isolating systems is on piont, as well as your mention of prevention so the down time doesn't occur is the first place.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
10/27/2017 | 1:27:53 PM
Re: Adobe Flash installer?
Flash just won't die. =/
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/27/2017 | 1:16:46 PM
Adobe Flash installer?
 

"No exploits were used, so the victim would have to manually execute the malware dropper, which pretends to be an Adobe Flash installer."

Does anybody still install Adobe Flash installer? I though it is already dead. I guess will see it for a while.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/27/2017 | 1:15:00 PM
Re: Bad Rabbit Ransomware
"Bad Rabbit Ransomware"

As like the others, ransomware players think that this is a very lucrative job, so it will never stop.
Dr.T
100%
0%
Dr.T,
User Rank: Ninja
10/27/2017 | 1:13:35 PM
Re: Backup and Restore Protocols ONCE AGAIN
"length of time this could cause widespread travel delays and numerous other problems"

I agree, that is one of the reasons is prevention strategies rather than recovery methods after the attack has to be focus.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/27/2017 | 1:11:40 PM
Re: Backup and Restore Protocols ONCE AGAIN
"Backup and Restore Protocols "
I think backup and restores is less likely a solution here, it needs to be isolated systems to avoid troubles after ransomware attack. To prevent it , that is another game.
Dr.T
100%
0%
Dr.T,
User Rank: Ninja
10/27/2017 | 1:08:08 PM
Kaspersky
Obviously Kaspersky is in the new lately a lot. They may be in a real trouble now.
Page 1 / 2   >   >>
The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike
Brian Monkman, Executive Director at NetSecOPEN,  7/19/2019
RDP Bug Takes New Approach to Host Compromise
Kelly Sheridan, Staff Editor, Dark Reading,  7/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-14248
PUBLISHED: 2019-07-24
In libnasm.a in Netwide Assembler (NASM) 2.14.xx, asm/pragma.c allows a NULL pointer dereference in process_pragma, search_pragma_list, and nasm_set_limit when "%pragma limit" is mishandled.
CVE-2019-14249
PUBLISHED: 2019-07-24
dwarf_elf_load_headers.c in libdwarf before 2019-07-05 allows attackers to cause a denial of service (division by zero) via an ELF file with a zero-size section group (SHT_GROUP), as demonstrated by dwarfdump.
CVE-2019-14250
PUBLISHED: 2019-07-24
An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.32. simple_object_elf_match in simple-object-elf.c does not check for a zero shstrndx value, leading to an integer overflow and resultant heap-based buffer overflow.
CVE-2019-14247
PUBLISHED: 2019-07-24
The scan() function in mad.c in mpg321 0.3.2 allows remote attackers to trigger an out-of-bounds write via a zero bitrate in an MP3 file.
CVE-2019-2873
PUBLISHED: 2019-07-23
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.2.32 and prior to 6.0.10. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox...