Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:59 PM
Connect Directly

Bad Rabbit Dies Down But Questions Remain

The origins of the rapid-fire ransomware attack campaign affecting mainly Russian targets remain a bit of a mystery.

The Bad Rabbit ransomware attack first spotted on Tuesday that spread in a matter of hours and hit machines mostly in Russia now appears to be over.

But as investigators dig deeper into the code and the anatomy of the attacks, they still aren't sure just how malware-laden watering-hole attacks spreading the ransomware were set up, nor whether the subsequent worm-spreading infections were more about making money or mayhem.

Several research teams have concluded that Bad Rabbit shares some common code with previous ransomware variants Petya and NotPetya, but they can't be sure it's the same group or groups behind the attacks. 

"A lot of clues point it [in] the direction of the gang behind NotPetya, but further investigation is required to assess," says Marc-Ettiene Leveille, a malware researcher with ESET.

But Russian security firm Group IB said in a blog post that the code overlap "suggest a link between Bad Rabbit and Black Energy campaigns." Black Energy is the Trojan used by the Russian nation-state Sandworm attack group thought to be behind the cyberattacks on Ukraine's electrical utility, which is also believed to have waged NotPetya.

New research from RiskIQ appears to support a link to the nation-state attackers based on its tracking of the injection servers and dozens more infected websites. 

They spotted four injection servers, one dating back to September of 2016, operating on the infected websites. "The operators of this campaign have been able to use this position to target unique visitors based on IP space they associate with their targets. The thing we do not understand at this point is why they decided to burn this information position to mass distribute the BadRabbit ransomware rather than save it for another type of malware," they wrote. "The goal of the attack using ExPetya back in June was simple: cause as much disruption in the Ukraine and those associated with Ukraine as possible which also seems the case in the BadRabbit attack."

Meanwhile, what sets Bad Rabbit apart from the Petya and NotPetya ransomware attacks, however, is that it took a different path in its campaign, and didn't multiply in the same manner. "It wasn't a wiper and it's not designed to be purely destructive," says Nick Biasini, a threat researcher with Cisco's Talos team, which has studied the attacks.

While the previous two ransomware campaigns relied more on exploits and supply-chain attacks to distribute their malware surreptitiously, Bad Rabbit employed old-school password-stealing and didn't exploit any vulnerabilities on victim machines.

Source: Cisco Systems
Source: Cisco Systems

"What makes this particular strain unique is the inclusion of a hardcoded credentials list, which the malware uses to spread through [SMB local] network shares," in addition to its use of the open-source Mimikatz tool to extract passwords, Leveille says.

The ransomware attack demanded a ransom of .05 Bitcoin, or $285 and infected victims either by a watering hole attack or phishing emails rigged with malicious attachments. Most security vendor research teams initially concurred the infections came via a handful of compromised websites, including news sites and a Bulgarian travel site and a Turkish cinema site, that unknowingly served up malicious and phony Adobe Flash installers. But late today, the plot thickened as the Security Service of Ukraine said in a post on its website that the infections came via phishing emails posing as Microsoft technical support.

Bad Rabbit spread quickly and for a short period of time in an apparent attempt to do the most damage. "It was designed to move around locally. It's more about getting the most [possible] systems infected for monetary gain or otherwise," Biasini says.

The ransomware campaign hit hundreds of government, media, transportation, and other targets in 15 nations, including Russia's Interfax Agency and Fontanka, and Ukraine's Kiev Metro, its Odessa International Airport, and various ministries of infrastructure and finance.

According to data from security firm Avast, Russia was most affected, representing 71% of detections by the AV firm, followed by Ukraine, 14%, and Bulgaria, 8%.

Source: Avast
Source: Avast

Although the US-CERT yesterday said it had received "multiple reports" of Bad Rabbit infections from "many countries," ESET's Leveille says his firm has not spotted any detections of the ransomware in the US.

Fake Flash

The victim gets infected by installing a phony Adobe Flash installer that's pushed to his or her machine when visiting one of the infected websites. That's when Bad Rabbit starts to make its lateral movement in the victim's network, using a set of default weak password combinations as well as the open-source Mimikatz to steal other passwords used by the infected machine. NotPetya also used that method to spread inside a victim's network, but unlike NotPetya and the massive WannaCry ransomware campaign in May, Bad Rabbit spreads via the SMB protocol sans exploits.

Still unknown is what exploits were used to hack and inject malicious code into the watering hole websites. Researchers say they also aren't sure if victims got their data and files back if they paid the attackers' ransom.

"The dangerous aspect is the fact that it was able to infect many institutions which constitute critical infrastructure - subway, airport, as well as government institutions - in such a short timeframe, which indicates a well-coordinated attack," ESET's Leveille says.

Adding to the mystery, he says it's also possible those targets were compromised prior to the ransomware attacks this week.

RiskIQ researchers, meanwhile, say while Bad Rabbit ransomware is a new animal, the attack campaign dates back to at least 2016. "Even though the BadRabbit ransomware is brand new, we can track the distribution vector back to early 2016 showing that victims were compromised long before the ransomware struck and the news cycle began. In fact, the campaign could have been originally built for something other than BadRabbit," the company wrote.


Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 4/7/2020
The Coronavirus & Cybersecurity: 3 Areas of Exploitation
Robert R. Ackerman Jr., Founder & Managing Director, Allegis Capital,  4/7/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-04-08
A vulnerability in Juniper Networks Junos OS on vMX and MX150 devices may allow an attacker to cause a Denial of Service (DoS) by sending specific packets requiring special processing in microcode that the flow cache can't handle, causing the riot forwarding daemon to crash. By continuously sending ...
PUBLISHED: 2020-04-08
Juniper Networks Junos OS uses the subnet for internal communications between the RE and PFEs. It was discovered that packets utilizing these IP addresses may egress an EX4300 switch, leaking configuration information such as heartbeats, kernel versions, etc. out to the Internet, leading...
PUBLISHED: 2020-04-08
A race condition vulnerability on Juniper Network Junos OS devices may cause the routing protocol daemon (RPD) process to crash and restart while processing a BGP NOTIFICATION message. This issue affects Juniper Networks Junos OS: 16.1 versions prior to 16.1R7-S6; 16.2 versions prior to 16.2R2-S11; ...
PUBLISHED: 2020-04-08
A privilege escalation vulnerability in Juniper Networks Junos OS devices configured with dual Routing Engines (RE), Virtual Chassis (VC) or high-availability cluster may allow a local authenticated low-privileged user with access to the shell to perform unauthorized configuration modification. This...
PUBLISHED: 2020-04-08
On High-End SRX Series devices, in specific configurations and when specific networking events or operator actions occur, an SPC receiving genuine multicast traffic may core. Subsequently, all FPCs in a chassis may reset causing a Denial of Service. This issue affects both IPv4 and IPv6. This issue ...