Thought leadership. threat analysis, news and alerts.
Bad Rabbit Ransomware, New variant of NotPetya, Is Spreading
Bad Rabbit ransomware, a new variant of NotPetya, is spreading across Eastern Europe and other parts of the world.
According to the Russian News Agency TASS, Bad Rabbit ransomware attacked the Russian mass media and Ukraine’s airport and subway. Symantec reported that Bad Rabbit primarily attacked Russia (86%), followed by Japan (3%) Bulgaria (2%), Ukraine (1%), US (1%) and all other countries (7%).
NotPetya versus Bad Rabbit
NotPetya is a malicious software (malware) that was released into the wild in June of this year. It wreaked havoc to thousands of computers worldwide, including Belgium, Brazil, Germany, Russia and the US. Merck, Nuance Communications, FedEx are some of the victims of NotPetya.
Similar to NotPetya, users of computers infected by Bad Rabbit received a notice that their files are encrypted. Both malware have the same style of ransom note, suggesting to victims to pay certain amount to get access to files. Both are worms, which mean that they’ve the ability to self-propagate – self-reproduce by infecting other computers in the network.
One stark difference between NotPetya and Bad Rabbit is the use of self-propagation tools. While NotPetya self-propagates using EternalBlue and EternalRomance, Bad Rabbit self-propagates by only using EternalRomance.
EternalBlue and EternalRomance are just two of the many exploits released in April of this year by the group called “Shadow Brokers”. The group claimed that EternalBlue, EternalRomance and the other hacking tools they’ve released were used by the National Security Agency (NSA) in exploiting the vulnerabilities in Windows operating system. According to Microsoft, it released a security update or patch dated March 17, 2017, fixing the vulnerabilities exposed by Shadow Brokers.
The second difference between NotPetya and Bad Rabbit is that NotPetya is a “wiper” rather than a ransomware. A wiper’s aim is to wipe out or delete all computer files for good, while ransomware’s aim is to generate money from victims. None of the victims of NotPetya were able to unlock their encrypted files. According to Symantec, its analysis of Bad Rabbit confirms that it’s not a wiper as the encrypted files can be recovered if the key is known.
How Bad Rabbit Works
Bad Rabbit infects victims’ computers in the following manner:
The first contact of victims of Bad Rabbit is via watering holes – legitimate websites that are altered by cybercriminals. Bad Rabbit compromised many popular websites in the affected countries.
Once a victim visits one of these compromised sites, Bad Rabbit malware is dropped or downloaded into the victim's computer as a fake software update to Adobe Flash Player.
Bad Rabbit malware masquerading as an update to Flash Player enters the victim’s computer by employing social engineering – convincing the victim that there’s a need to update his or her Flash Player. In the middle of the computer screen, a popup shows up asking the user to download an update for Flash Player.
Once the fake Adobe Flash Player "Install" button is clicked, the Bad Rabbit malware drops five open-sourced tools described below into the victim’s computer. According to Symantec, the download originates from a particular domain. It’s possible though that victims may have been redirected there from another compromised sites, Symantec said.
Mimikatz is an open-sourced tool used for changing privileges and recovering Windows passwords in plaintext.
In addition to Mimikatz, Bad Rabbit also uses a hardcoded list of commonly used default passwords in attempting to guess Windows passwords.
ReactOS is an open-sourced tool that’s used as an alternative to Windows operating system. The use of ReactOS, according to Symantec, reduces the amount of detectable suspicious activity on an infected computer.
DiskCryptor is an open-sourced tool that’s used to perform encryption. After individual files in the victim’s computer are encrypted, Bad Rabbit will then conduct a full disk encryption. Once the system is restarted, a ransom note is displayed, demanding a ransom amounting to 0.05 Bitcoin (US$280).
Bad Rabbit spreads to other vulnerable computers in the network by using EternalRomance, an exploit that bypasses security over Server Message Block (SMB) – referred to as the transport protocol used by computers using Windows operating system for a variety of purposes, including file sharing, printer sharing and access to remote Windows services.
According to researchers at RiskIQ, long before the distribution of Bad Rabbit ransomware last October 24th, cyber attackers have already compromised the affected websites used as watering holes. The researchers said that they “can track the distribution vector back to early 2016 showing that victims were compromised long before the ransomware struck.”
"The thing we do not understand at this point is why they decided to burn this information position to mass distribute the Bad Rabbit ransomware rather than save it for another type of malware," RiskIQ researchers said.
How to Prevent Bad Rabbit Attacks
As Bad Rabbit uses factory or default passwords, it’s important to protect your computer with a strong password. This security measure, however, isn’t enough to protect you from Bad Rabbit.
Bad Rabbit self-propagates by using the hacking tool EternalRomance. A security update or patch that stops EternalRomance has already been made available by Microsoft since March 17, 2017.
"Using unpatched and unsupported software may increase the risk of proliferation of cybersecurity threats, such as ransomware,"
In an effort to keep your all software up-to-date, be careful though of falling into traps of fake updates.
Fake Adobe Flash Player update has long been the favorite of many cyber criminals as they always find security vulnerabilities of this software. If an update pops up in your monitor, don’t click the button, and visit the official Adobe website for updates.
Steve E. Driz, I.S.P., ITCP