The threat actors behind the Bad Rabbit ransomware campaign compromised some of the websites used to spread the malware as far back as a year ago, according to new research.
RiskIQ revealed in an update that it has been analyzing records of the “injection servers” used to insert malicious content into the compromised websites.
These show some of the sites compromised to display the fake Adobe Flash updates were hit as far back as early September 2016.
The vendor admitted this isn’t an exhaustive list, so there could be compromises dating even further back.
It said:
“The operators of this campaign have been able to use this position to target unique visitors based on IP space they associate with their targets. The thing we do not understand at this point is why they decided to burn this information position to mass distribute the BadRabbit ransomware rather than save it for another type of malware.”
In fact, the infrastructure could have been originally intended to distribute malware other than Bad Rabbit, RiskIQ claimed.
The evidence backs up other pieces of information that are gradually seeping out from the vendor community.
Although the identity and motivations of the group behind the ransomware are unknown, Bad Rabbit is said to share 67% of the same code as NotPetya; the infamous ransomware which caused widespread damage in Ukraine and beyond back in June.
It appears as if most of the servers used to serve up Bad Rabbit have been swiftly shut down, following widespread media reports of infections this week.
In fact, most of the infections took place in Russia in the two hours after it first appeared on October 24, according to Symantec.
It’s unclear whether the gang behind Bad Rabbit shut down this infrastructure or if a hosting company spotted what was going on.
As for attribution, the vast majority (86%) of victims were located in Russia, which would make it unlikely that a Kremlin-affiliated group is behind it, unless these were not the intended targets.