Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/24/2017
04:25 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

'Bad Rabbit' Ransomware Attacks Rock Russia, Ukraine - and Beyond

Attack employs new version of infamous NotPetya ransomware used in June attacks on Ukraine targets.

A wave of ransomware infections is hitting hundreds of government, media, transportation, and other targets in Eastern Europe today mainly in Russia and Ukraine, but also in Bulgaria, Germany, and Turkey.

Among the most high-profile targets thus far are major news outlets such as Russia's Interfax Agency, and Ukraine's Kiev Metro, its Odessa International Airport, and ministries of infrastructure and finance.

US-CERT said today that is has received "multiple reports" of Bad Rabbit infections from "many countries," and says victims should not pay the ransom because it doesn't guarantee the attackers will release the hijacked, locked-down data.

Ukraine was on alert for the attacks, as its Security Service and CERT earlier this month had warned of a possible large cyberattack akin to NotPetya to occur in conjuction with its Defender of Ukraine Day holiday.

Details about the attacks are trickling in as researchers drill down on the malware and its attack vectors, but researchers at ESET say the malware used in the Kiev Metro attack is Diskcoder.D, a new variant of the infamous Petya. The most recent version of Diskcoder was used in a ransomware campaign that spread around the world in June.

Researchers at Kaspersky Lab say the dispci.exe file found in the malware seems to originate from the code base of open-source encryption tool DiskCryptor, a legitimate tool for encrypting disk and system partitions. "It acts as the disk encryption module which also installs the modified bootloader and prevents the normal boot-up process of the infected machine," Kaspersky researchers Orkhan Mamedov, Fedor Sinitsyn, and Anton Ivanov wrote in a blog post today.

They also noticed the attackers appear to be fans of "Game of Thrones," based on code strings that include names of characters from the popular book and HBO series.

Although Bad Rabbit is a relatively widespread ransomware campaign, don't expect it to be another WannaCry. Robert Lipovsky, senior malware researcher with security vendor ESET, which has been studying the attacks, says the ransomware campaign won't likely spread like WannaCry did.

"Considering the infection capabilities we discovered in the samples, spreading outside Ukraine is theoretically possible but much less likely than in the June NotPetya case, due to the lack of EternalBlue spreading mechanism," he says, referring to the SMB-worm style attack used in WannaCry to spread like wildfire around the globe.

Instead, Bad Rabbit employs hardcoded stolen credentials via SMB, first by remotely stealing passwords from infected machines via the Mimikatz password-extraction tool, and using a username/password list that's hardcoded in the binary code.

There's also a phony Adobe Flash Player connection: a dropper of Diskcoder.D that poses as a Flash Player installer. ESET spotted that on major news websites in Russia and Ukraine, Lipovsky notes. "While this may very well be an infection vector, it is doubtful that this was the main infection vector … and quite possibly a smokescreen."

Bad Rabbit ransom message
Source: ESET

Bad Rabbit ransom message

Source: ESET

Researchers at Kaspersky say their telemetry shows a drive-by attack is the initial attack vector, and it's a targeted attack campaign. "Our observations suggest that this been a targeted attack against corporate networks, using methods similar to those used during the ExPetr attack," they say, referring to the June attacks.

"The ransomware dropper was distributed with the help of drive-by attacks. While the target is visiting a legitimate website, a malware dropper is being downloaded from the threat actor’s infrastructure," according to Kaspersky. "No exploits were used, so the victim would have to manually execute the malware dropper, which pretends to be an Adobe Flash installer."

Adam Meyers, vice president of intelligence at CrowdStrike, says Bad Rabbit appears to have been served up via the argumentiru.com website, a Russian and Eastern European news and celebrity gossip site. "CrowdStrike Intelligence can confirm that this website was hosting a malicious JavaScript inject as part of a Strategic Web Compromise (SWC) attack on 24 October 2017," Meyers said in statement.

CrowdStrike also found more proof of a link to the NotPetya attackers: Bad Rabbit and NotPetya DLLs "share 67% of the same codebase, which makes it likely that the same threat actor is behind both attacks," Meyers said in a tweet late today.

Related Content:

 

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
10/30/2017 | 7:39:38 AM
Re: The person behind
Group IB out of Russia says it's "highly likely" the attackers behind Bad Rabbit are the same ones who launched NotPetya in June of 2017 against Ukraine energy, financial, and telecommunciations organizations.
Mr Phen375
50%
50%
Mr Phen375,
User Rank: Apprentice
10/28/2017 | 1:52:47 AM
The person behind
Anyone knows who is behind "Bad Rabbit" Ransomware?
jtemme
100%
0%
jtemme,
User Rank: Strategist
10/27/2017 | 3:30:52 PM
Re: Bad Rabbit Ransomware
Nice share!
jtemme
50%
50%
jtemme,
User Rank: Strategist
10/27/2017 | 3:20:25 PM
Re: Backup and Restore Protocols ONCE AGAIN
Right, the person I was replying to has deleted their posts so my reply may seem out of context but your comments about isolating systems is on piont, as well as your mention of prevention so the down time doesn't occur is the first place.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
10/27/2017 | 1:27:53 PM
Re: Adobe Flash installer?
Flash just won't die. =/
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/27/2017 | 1:16:46 PM
Adobe Flash installer?
 

"No exploits were used, so the victim would have to manually execute the malware dropper, which pretends to be an Adobe Flash installer."

Does anybody still install Adobe Flash installer? I though it is already dead. I guess will see it for a while.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/27/2017 | 1:15:00 PM
Re: Bad Rabbit Ransomware
"Bad Rabbit Ransomware"

As like the others, ransomware players think that this is a very lucrative job, so it will never stop.
Dr.T
100%
0%
Dr.T,
User Rank: Ninja
10/27/2017 | 1:13:35 PM
Re: Backup and Restore Protocols ONCE AGAIN
"length of time this could cause widespread travel delays and numerous other problems"

I agree, that is one of the reasons is prevention strategies rather than recovery methods after the attack has to be focus.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/27/2017 | 1:11:40 PM
Re: Backup and Restore Protocols ONCE AGAIN
"Backup and Restore Protocols "
I think backup and restores is less likely a solution here, it needs to be isolated systems to avoid troubles after ransomware attack. To prevent it , that is another game.
Dr.T
100%
0%
Dr.T,
User Rank: Ninja
10/27/2017 | 1:08:08 PM
Kaspersky
Obviously Kaspersky is in the new lately a lot. They may be in a real trouble now.
Page 1 / 2   >   >>
I 'Hacked' My Accounts Using My Mobile Number: Here's What I Learned
Nicole Sette, Director in the Cyber Risk practice of Kroll, a division of Duff & Phelps,  11/19/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-2079
PUBLISHED: 2019-11-22
A cross-site request forgery (CSRF) vulnerability in the Activity module 6.x-1.x for Drupal.
CVE-2019-11325
PUBLISHED: 2019-11-21
An issue was discovered in Symfony before 4.2.12 and 4.3.x before 4.3.8. The VarExport component incorrectly escapes strings, allowing some specially crafted ones to escalate to execution of arbitrary PHP code. This is related to symfony/var-exporter.
CVE-2019-18887
PUBLISHED: 2019-11-21
An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. The UriSigner was subject to timing attacks. This is related to symfony/http-kernel.
CVE-2019-18888
PUBLISHED: 2019-11-21
An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. If an application passes unvalidated user input as the file for which MIME type validation should occur, then arbitrary arguments are passed to the underlying file command. T...
CVE-2019-18889
PUBLISHED: 2019-11-21
An issue was discovered in Symfony 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. Serializing certain cache adapter interfaces could result in remote code injection. This is related to symfony/cache.