A new ransomware campaign has hit a number of high profile targets in Russia and Eastern Europe.
Bad Rabbit, the ransomware first started infecting systems on Tuesday 24 October, and the way in which organisations appear to have been hit simultaneously immediately drew comparisons to this year’s WannaCry and Petya epidemics.
Following the initial outbreak, there was some confusion about what exactly Bad Rabbit is. Now the initial panic has died down, however, it’s possible to dig down into what exactly is going on.
1. The cyber-attack has hit organisations across Russia and Eastern Europe
Organisations across Russian and Ukraine — as well as a small number in Germany, and Turkey — have fallen victim to the ransomware. Researchers at Avast say they’ve also detected the malware in Poland and South Korea.
Russian cybersecurity company Group-IB confirmed at least three media organisations in the country have been hit by file-encrypting malware, while at the same time Russian news agency Interfax said its systems have been affected by a “hacker attack” — and were seemingly knocked offline by the incident.
Other organisations in the region including Odessa International Airport and the Kiev Metro also made statements about falling victim to a cyber-attack, while CERT-UA, the Computer Emergency Response Team of Ukraine, also posted that the “possible start of a new wave of cyberattacks to Ukraine’s information resources” had occurred, as reports of Bad Rabbit infections started to come in.
At the time of writing, it’s thought there are almost 200 infected targets and indicating that this isn’t an attack like WannaCry or Petya was — but it’s still causing problems for infected organisations.
“The total prevalence of known samples is quite low compared to the other “common” strains,” said Jakub Kroustek, a malware analyst at Avast.
2. It’s definitely ransomware
Those unfortunate enough to fall victim to the attack quickly realised what had happened because the ransomware isn’t subtle — it presents victims with a ransom note telling them their files are “no longer accessible” and “no one will be able to recover them without our decryption service”.
Victims are directed to a Tor payment page and are presented with a countdown timer. Pay within the first 40 hours or so, they’re told, and the payment for decrypting files is 0.05 bitcoin — around $285. Those who don’t pay the ransom before the timer reaches zero are told the fee will go up and they’ll have to pay more.
The encryption uses DiskCryptor, which is open source legitimate and software used for full drive encryption. Keys are generated using CryptGenRandom and then protected by a hard-coded RSA 2048 public key.
3. It’s based on Petya/Not Petya
If the ransom note looks familiar, that’s because it’s almost identical to the one victims of June’s Petya outbreak saw. The similarities aren’t just cosmetic either — Bad Rabbit shares behind-the-scenes elements with Petya too.
Analysis by researchers at Crowdstrike has found that Bad Rabbit and NotPetya’s DLL (dynamic link library) share 67 percent of the same code, indicating the two ransomware variants are closely related, potentially even the work of the same threat actor.
4. It spreads via a fake Flash update on compromised websites
The main way Bad Rabbit spreads is drive-by downloads on hacked websites. No exploits are used, rather visitors to compromised websites — some of which have been compromised since June — are told that they need to install a Flash update. Of course, this is no Flash update, but a dropper for the malicious install.
5. It can spread laterally across networks…
Much like Petya, Bad Rabbit comes with a potent trick up its sleeve in that it contains an SMB component which allows it to move laterally across an infected network and propagate without user interaction, say researchers at Cisco Talos.
What aids Bad Rabbit’s ability to spread is a list of simple username and password combinations which it can exploit to brute-force its way across networks. The weak passwords list consists of a number of the usual suspects for weak passwords such as simple number combinations and ‘password’.
6. It doesn’t use EternalBlue
When Bad Rabbit first appeared, some suggested that like WannaCry, it exploited the EternalBlue exploit to spread. However, this now doesn’t appear to be the case.
“We currently have no evidence that the EternalBlue exploit is being utilized to spread the infection,” Martin Lee, Technical Lead for Security Research at Talos told ZDNet.
7. It may not be indiscriminate
At the same point following the WannaCry outbreak, hundreds of thousands of systems around the world had fallen victim to ransomware. However, Bad Rabbit doesn’t appear to indiscriminately infect targets, rather researchers have suggested that it only infects selected targets.
“Our observations suggest that this been a targeted attack against corporate networks,” said Kaspersky Lab researchers.
Meanwhile, researchers at ESET say instructions in the script injected into infected websites “can determine if the visitor is of interest and then add content to the page” if the target is deemed suitable for infection.
However, at this stage, there’s no obvious reason why media organisations and infrastructure in Russia and Ukraine has been specifically targeted in this attack.
8. It isn’t clear who is behind it
At this time, it’s still unknown who is distributing the ransomware or why, but the similarity to Petya has led some researchers to suggest that Bad Rabbit is by the same attack group — although that doesn’t help identify the attacker or the motive either, because the perpetrator of June’s epidemic has never been identified.
What marks this attack out is how it has primarily infected Russia – Eastern Europe cybercriminal organisations tend to avoid attacking the ‘motherland’, indicating this unlikely to be a Russian group.
9. It contains Game of Thrones references
Whoever it behind Bad Rabbit, they appear to be a fan of Game of Thrones: the code contains references to Viserion, Dragon, and Rhaegal, the dragons which feature in television series and the novels it is based on. The authors of the code are therefore not doing much to change the stereotypical image of hackers being geeks and nerds.
10. You can protect yourself against becoming infected by it
At this stage, it’s unknown if it’s possible to decrypt files locked by Bad Rabbit without giving in and paying the ransom – although researchers say that those who fall victim shouldn’t pay the fee, as it will only encourage the growth of ransomware.
A number of security vendors say their products protect against Bad Rabbit. But for those who want to be sure they don’t potentially fall victim to the attack, Kaspersky Lab says users can block the execution of file ‘c: \ windows \ infpub.dat, C: \ Windows \ cscc.dat.’ in order to prevent infection.