Less than 24 hours after BadRabbit hopped out of its black hole the malware is still spreading, albeit slowly, with US CERT having received reports of infections, meanwhile researchers say this worm-like ransomware may have ties to Petya/NotPetya.
So far 200 targets have been hit in Russia, Ukraine, Turkey, Bulgaria and the United States with BadRabbit, which is a previously unknown ransomware family but one with strong ties to Petya/NotPetya. The primary delivery method does not use a known exploit, like Petya/NotPetya did with ExternalBlue, but instead utilises watering hole attacks that have a fake Flash update notification appear when a victim visits the site. In many of the original instances Russian media sites were used as the watering holes.
US CERT did not name which firms reported being hit with the malware in its alert only that it had received multiple reports. The organisation did say it suspects BadRabbit is a variant of Petya/NotPetya and that it discourages individuals and organisations from paying the ransom, as this does not guarantee that access will be restored.
US CERT is not the only organisation drawing comparisons between BadRabbit and Petya/NotPetya. There is evidence starting with its ability to move laterally through a network, but other similarities also exist, ranging from using similar tactics to more obvious clues such as the lock screen being similar to the earlier malware.
These have helped fuel the on-going argument over where BadRabbit stands in relation to Petya/NotPetya.
Vyacheslav Zakorzhevsky, head of the anti-malware research team at Kaspersky Lab, told SC Media he sees clear ties between the two malware types and he believes the latest attackers have been preparing for this launch since July 2017.
“The hashing algorithm used in the Bad Rabbit attack is similar to the one used by ExPetr. Further, experts have found that both attacks use the same domains; and similarities in the respective source codes indicate that the new attack is linked to the creators of ExPetr. Like ExPetr, Bad Rabbit tries to grab credentials from the system memory and spread within the corporate network by WMIC,” he said.
Carbon Black researcher Brian Raskin noted in a blog that while additional analysis is needed he considers BadRabbit to be a Petya/NotPetya variant.
“Analysis is forthcoming, but initial views show that it is a variant of the NotPetya sample. It is not known yet if there is actual code re-use or if simply the tactics and strings were copied from analysed versions of NotPetya. Just as NotPetya dropped a file named perfc.dat, and called it by an export ordinal value, this Bad Rabbit will drop a similar file named infpub.dat and call it using an almost identical method,” he said.
Malwarebytes took this a step further and reported BadRabbit was produced by the team behind Petya/NotPetya, although the security firm did not offer any evidence to back this theory.
BadRabbit so far differs from its earlier cousin by actually being ransomware, whereas Petya's task was to simply render victim's system inoperable and did such a thorough job that companies like the shipping firm Maersk, pharmaceutical giant Merck and FedEx were feeling the impact for months following the attack.
“Bad Rabbit does seem as though it's geared to make money, unlike NotPetya, which pretty much pretended to be ransomware but in fact trashed your computer to cause network disruption rather than to 'impose' a direct financial cost,” Paul Ducklin, Sophos senior technologist emailed to SC Media.
While the attackers may be interested in making money, so far the evidence points to most victims taking US CERT's advice and not paying up. BadRabbit asks for a .05 bitcoin ransom, about £220, but Gabriel Gumbs, vice president of product strategy for STEALTHbits Technologies told SC Media that he saw only three payments related to the attack made so far to two bitcoin wallets.
On the bright side, Rapid7 has heard, but could not confirm, reports that two of those who paid did receive a key.
There are two points everyone is agreeing upon.
The first is that BadRabbit is not using the EtnernalBlue during any stage of the attack. Instead the malicious actors are using SMB to spread the malware.
“Bad Rabbit has the ability to spread via an SMB component used for lateral movement and further infection. This appears to use a combination of an included list of weak credentials and a version of Mimikatz similar to that which was used in Nyetya,” said Gumbs.
The second is that nobody knows who is behind the attacks. Bob Rudis, chief data scientist at Rapid7, said, "We can say that this attack is more sophisticated and less "noisy" than previous ones this year, and the campaign appears to be well-thought out, given that the attackers began setting up purloined infrastructure well-before the attack and ensured they there was no easy "kill switch" or way to spread over the internet."
Trend Micro's research shows BadRabbit spreads to other computers in the network by dropping copies of itself in the network using its original name and executing the dropped copies using Windows Management Instrumentation and Service Control Manager Remote Protocol. When the Service Control Manager Remote Protocol is used, it uses dictionary attacks for the credentials.
Another difference between BadRabbit and Petya/NotPetya is it can be blocked. Unlike the earlier malware, BadRabbit did not come equipped with a kill switch, but within hours of the malware being spotted Cybereason researcher Mike Iacovacci posted a series of steps to take that will prevent a system from being infected with BadRabbit. Click here for the instructions. Additionally, most security companies are saying their antivirus software is effective in spotting and defending against BadRabbit.