The Rabid Ransomware Bunnies Behind #BadRabbit

After the drama caused by the WannaCry and NotPetya earlier this year, was there ever any doubt that a fresh ransomware campaign would emerge at some point? The answer came in the form of 'Bad Rabbit', which reportedly shared code used in the NotPetya variant but was from a previously unknown ransomware family, according to Kaspersky.

According to Group-IB, Bad Rabbit was spread via web traffic from compromised media sites, from where the visitor was encouraged to download the rogue Flash update.

Kaspersky said that the ransomware was distributed when the target visited the threat actor’s infrastructure. “No exploits were used, so the victim would have to manually execute the malware dropper, which pretends to be an Adobe Flash installer,” Kaspersky said.

As for who was affected, Malwarebytes Labs said that there were initial impacts in Russia, Ukraine, Turkey, Bulgaria, and Germany, with attacks centred on targets as wide-ranging as infrastructure, transportation, and media outlets. So far there have been only two payments to one of the Bitcoin wallets earning the attackers around $500, suggesting that this is not as fruitful as other campaigns.

Is this a ransomware campaign too far, and has the security community seen enough to realize that this is nothing new? Also, have the general public heard enough about this that the national press are no longer interested unless a major institution faces downtime? Infosecurity gauged some views from industry figures on the capabilities and impact of this new variant.

"Bad Rabbit was a new and unknown ransomware, but contains code from Petya ransomware"

Adam Meyers, VP of Intelligence, CrowdStrike:
“To date, CrowdStrike Intelligence has found that Bad Rabbit and NotPetya DLL (Dynamic Link Library) share 67% of the same code, giving us reason to believe the same actor is likely behind both attacks. Bad Rabbit is likely delivered via the website argumentiru[.]com which is a current affairs, news and celebrity gossip website focusing on Russian and near-abroad topics.

“CrowdStrike Intelligence can confirm that this website was hosting a malicious JavaScript inject as part of a strategic web compromise attack on 24 October 2017.”

Patrice Puichard, senior director EMEA, SentinelOne:
“From our analysis, ‘Bad Rabbit’ was a new and unknown ransomware as of yesterday, but contains code from Petya ransomware. The dropper is downloaded by users when they visit infected websites and appears as a Flash Player installer (install_flash_player.exe). Once executed, it behaves like a traditional ransomware, encrypting files and asking for a ransom to decrypt them. It is also modifying the boot loader like Petya/NotPetya.
“The ransomware started in Russia and Ukraine: according to ESET, 65% of the victims are from Russia, 12.2% in the Ukraine and has targeted countries in Eastern Europe, Turkey and Japan. As Russia was the origin of the attack, by the time it takes to reach the US it’s a known and blocked attack by signature-based anti-virus, as well as already having been detected by solutions which are not signature-dependent.”

"Bad Rabbit and NotPetya share 67% of the same code"

Andrew Clarke, EMEA director,One Identity:
"Source code analysis contains references to Game of Thrones dragon characters, Drogon; Rhaegal and Viserion. Bugs in file encryption have now been fixed and use DiskCryptor, an open source legitimate software used to do full drive encryption. Keys are generated using CryptGenRandom and then protected by hardcoded RSA 2048 public key. A powerful upgrade now being unleashed with organizations in Russia, Ukraine, Bulgaria and Turkey at the top of the hit list. This time a fake “flash” update appears to be implicated but it seems that as the organizations were hit around the same time that the attackers likely had a foot in their network already.

“Once hit; their data gets encrypted and for a bitcoin fee of 0.05 — approximately $280 - the affected company has the chance to acquire the decryption keys but only before a countdown of 41 hours expires. Despite industry warnings issued after the Petya, and not-Petya outbreaks earlier this year, this variant which spreads laterally using SMB shares – could be blocked by denying this communication channel [ports 137, 138, 139 and 445] on their firewalls.”

Matthias Maier, security evangelist, Splunk
"It appears that Bad Rabbit creates three new scheduled tasks on a system, including a forced restart - by searching for this specific occurrence in monitored log data from endpoints, an organization will be able to identify patient zero earlier, and act to isolate the impact.

“The current situation with Bad Rabbit is once more a reminder of how important it has become for organizations in the digital age to have a skilled security team on standby, with the right technology in place to access the right information and take the right decisions quickly to avoid any business impact. A robust security strategy has become a competitive advantage.”

Amichai Shulman, CTO, Imperva
"At the end of the day, all Ransomware is basically the same. Hackers via the ransomware malware are making files unavailable to users and as a consequence disrupt the operations. As long as the infection and effect of ransomware is constrained to endpoints, the damage to organizations should be minimal.

“Some might say – why after WannaCry and NotPetya are systems still unpatched? The issue of patching is irrelevant when looking at a potentially self-replicating malware like Bad Rabbit because in any large network there will be some unpatched devices. By protecting file servers (e.g. deploying File Firewall solutions) rather than focusing on endpoints organizations can minimize the effect of such incident and avoid disruption to business.”

"The issue of patching is irrelevant when looking at a potentially self-replicating malware like Bad Rabbit"

Nick Pollard, director, security & intelligence, Nuix: 
“What’s needed is a fresh approach in this escalating arms race. We need to place on each and every endpoint a means to prevent self-harm and block a user’s attempt (though very often inadvertent) to infect the machine and, by extension, the rest of the network. Relying on rapidly-outdated anti-virus definitions and operating system patches simply isn’t enough. Furthermore, we have to address the gap that exists between these traditional, and still necessary, defenses.

“The only way to win the cybersecurity war is to prevent the attack from happening in the first place. Organizations must change their security posture. Prevention needs to be at the forefront of any ransomware strategy. Since the endpoint is ground-zero for ransomware attacks, what organizations need is the ability to detect and put a stop to malicious behavior as early as possible in the kill chain.”

What’s Hot on Infosecurity Magazine?