When news broke of the third major ransomware outbreak of the year, there was lots of confusion. Now the dust has settled, we can dig down into what exactly “Bad Rabbit” is.
As per the media reports, many computers have been encrypted with this cyber-attack. Public sources have confirmed that Kiev Metro’s computer systems along with Odessa airport as well as other numerous organizations from Russia have been affected. The malware used for this cyber-attack was “Disk Coder.D” – a new variant of the ransomware which popularly ran by the name of “Petya”. The previous cyber-attack by Disk Coder left damages on a global scale in June 2017.
ESET’s telemetry system has reported numerous occurrences of Disk Coder. D within Russia and Ukraine however, there are detections of this cyber-attack on computers from Turkey, Bulgaria and a few other countries as well.
A comprehensive analysis of this malware is currently being worked upon by ESET’s security researchers. As per their preliminary findings, Disk Coder. D uses the Mimikatz tool to extract the credentials from affected systems. Their findings and analysis are ongoing, and we will keep you informed as soon as further details are revealed.
The ESET telemetry system also informs that Ukraine accounts only for 12.2% from the total number of times they saw Bad Rabbit infiltration. Following are the remaining statistics:
The distribution of countries was compromised by Bad Rabbit accordingly. Interestingly, all these countries were hit at the same time. It is quite likely that the group already had their foot inside the network of the affected organizations.
It’s definitely ransomware
Those unfortunate enough to fall victim to the attack quickly realized what had happened because the ransomware isn’t subtle – it presents victims with a ransom note telling them their files are “no longer accessible” and “no one will be able to recover them without our decryption service”. Victims are directed to a Tor payment page and are presented with a countdown timer. Pay within the first 40 hours or so, they’re told, and the payment for decrypting files is 0.05 bitcoin – around $285. Those who don’t pay the ransom before the timer reaches zero are told the fee will go up and they’ll have to pay more. The encryption uses DiskCryptor, which is open source legitimate and software used for full drive encryption. Keys are generated using CryptGenRandom and then protected by a hardcoded RSA 2048 public key.
It’s based on Petya/Not Petya
If the ransom note looks familiar, that’s because it’s almost identical to the one victims of June’s Petya outbreak saw. The similarities aren’t just cosmetic either – Bad Rabbit shares behind-the-scenes elements with Petya too.
Analysis by researchers at Crowdstrike has found that Bad Rabbit and NotPetya’s DLL (dynamic link library) share 67 percent of the same code, indicating the two ransomware variants are closely related, potentially even the work of the same threat actor.
The attack has hit high profile organizations in Russia and Eastern Europe
Researchers have found a long list of countries of have fallen victim to the outbreak – including Russia, Ukraine, Germany, Turkey, Poland and South Korea. Three media organizations in Russia, as well as Russian news agency Interfax, have all declared file-encrypting malware or “hacker attacks” – being brought offline by the campaign. Other high-profile organizations in the affected regions include Odessa International Airport and Kiev Metro. This has led the Computer Emergency Response of Ukraine to post that the “possible start of a new wave of cyber-attacks to Ukraine’s information resources” had occurred.
It may have had selected targets
When WannaCry broke, systems all across the world were affected by an apparent indiscriminate attack. Bad Rabbit, on the other hand, might have targeted corporate networks.
Researchers at ESET have backed this idea up, claiming that the script injected into infected websites can determine if the visitor is of interest and then add the contents page – if the target is seen as suitable for the infection.
It spreads via a fake Flash update on compromised websites
It can spread laterally across networks
Like Petya, the Bad Rabbit Ransomware attack contains an SMB component which allows it to move laterally across an infected network and propagate without user interaction.
The spread of Bad Rabbit is made easy by simple username and password combinations which it can exploit to force its way across networks. This list of weak passwords is the often-seen easy-to-guess passwords – such as 12345 combinations or having a password set as “password”.
It doesn’t use EternalBlue
When Bad Rabbit first appeared, some suggested that like WannaCry, it exploited the EternalBlue exploit to spread. However, this now doesn’t appear to be the case. “We currently have no evidence that the EternalBlue exploit is being utilized to spread the infection,” Martin Lee, Technical Lead for Security Research at Talos told ZDNet.
It contains Game of Thrones references
Whoever it behind Bad Rabbit, they appear to be a fan of Game of Thrones: the code contains references to Viserion, Drogon, and Rhaegal, the dragons which feature in television series and the novels it is based on. The authors of the code are therefore not doing much to change the stereotypical image of hackers being geeks and nerds.
There’s steps you can take to keep safe
At this moment in time, nobody knows if it is yet possible to decrypt files that are locked by Bad Rabbit. Some might suggest to pay the ransom and see what happens… Bad idea.
It’s quite reasonable to think that paying nearly $300 is worth paying for what might be highly important and priceless files, but paying the ransom almost never results in regaining access, nor does it help the fight against ransomware – an attacker will keep targeting as long as they’re seeing returns.
A number of security vendors say their products protect against Bad Rabbit. But for those who want to be sure they don’t potentially fall victim to the attack, Kaspersky Lab says users can block the execution of file ‘c: windows infpub.dat, C: Windows cscc.dat.’ in order to prevent infection.