Bad Rabbit Linked to ExPetr/Not Petya Attacks

Researchers have linked the Bad Rabbit ransomware attack to this summer’s ExPetr/Not Petya outbreak.

A link has been confirmed between the Bad Rabbit ransomware outbreak detected yesterday in major organizations in Russia and Ukraine and this summer’s ExPetr/Not Petya attacks.

Researchers at Kaspersky Lab said there are “clear ties” between the two attacks though one major piece of the puzzle is missing with Bad Rabbit.

Like WannaCry before it, one of ExPetr’s propagation methods was the leaked NSA exploit EternalBlue, which triggered a SMBv1 vulnerability patched by Microsoft early this year and allowed it to worm out to the internet.

Kaspersky Lab researchers said they have found no evidence of EternalBlue—or EternalRomance, another NSA-developed attack that was publicly disclosed by the ShadowBrokers and used in the ExPetr attacks—in yesterday’s attack.

“The hashing algorithm used in the Bad Rabbit attack is similar to the one used by ExPetr. Further, experts have found that both attacks use the same domains; and similarities in the respective source codes indicate that the new attack is linked to the creators of ExPetr,” Kaspersky Lab said in a statement. “Like ExPetr, Bad Rabbit tries to grab credentials from the system memory and spread within the corporate network by WMIC. However, researchers have found neither EternalBlue nor EternalRomance exploits in the Bad Rabbit attack; both of them were used in ExPetr.”

Researchers said that the seeds for the Bad Rabbit attacks were sewn in July beginning with the compromise of a number of high-profile sites, including news organizations in Russia such as Interfax.

A tweet, below, from Kaspersky Lab Global Research and Analysis Team director Costin Raiu shows a number of media and government sites not only in Russia and Ukraine, but also Turkey, Germany and the U.S., were compromised—some 200 targets in all—and serving up the malware.

“All of the attacks took place on October 24, and no new attacks have been detected since then,” Kaspersky Lab said. “Researchers note that once the infection became more widespread and security companies started to investigate, the attackers immediately removed the malicious code they had added to the hacked websites.”

The malware was spreading primarily through drive-by downloads where the compromised sites were serving up a phony Flash Player installer that executes a dropper on the compromised machine that reaches out to the attacker’s domain for the rest of the attack. No exploits were used in the attack and the malware relied on user action to trigger the executable and to grant it excessive permissions through a Windows UAC prompt.

While ExPetr was wiper malware in the guise of a ransomware attack, Bad Rabbit installs a malicious executable called dispci.exe which is derived from the free and open source disk encryption software called DiskCryptor.

“It acts as the disk encryption module which also installs the modified bootloader and prevents the normal boot-up process of the infected machine,” Kaspersky Lab said on Tuesday.

Victims see a ransom note very similar to the ExPetr and Petya ransom notes. The attackers are demanding 0.05 Bitcoin or $276 USD at today’s exchange rate in exchange for the decryption key that will unlock their hard drives.

Each victim is assigned a unique payment wallet, simplifying the process for recovery for victims and profit for the attackers.

It also appears the malware attempts to use open SMB shares to spread internally on networks, but does not have the worming capabilities of its predecessors to spread to other machines on the internet.

Suggested articles

Discussion

  • Tony Butt on

    So, BadRabbit was released, they watched it spread for a day, and it doesn't use annything novel in terms of worm capability. This looks like another test, to see how the 'delivery system' performs, and how quickly the payload can be delivered to how many targets. This smells like a cyber weapons test, and we should all be worried about what will happen when the real payload is loaded.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.