BadRabbit Ransomware Strikes Eastern Europe

Russia and Ukraine Suffer Most Infections of New Crypto-Locking Ransomware
BadRabbit Ransomware Strikes Eastern Europe
BadRabbit's .onion site landing page, where victims go to pay a ransom. (Source: ESET)

As new ransomware called BadRabbit infects systems across Eastern Europe, cybersecurity experts are monitoring the outbreak, in part to see if it will match the disruption caused by this year's WannaCry and NotPetya ransomware campaigns.

See Also: How to Scale Your Vendor Risk Management Program

BadRabbit, which encrypts files on hard drives and asks for a ransom, has so far hampered the subway system in Ukraine's capital city of Kiev as well as the country's Odessa International Airport, which said on Tuesday it had been "attacked by hackers."

Moscow-based cybersecurity firm Group-IB says that a number of major media companies in Russia were affected. The U.S. Computer Emergency Readiness Team also issued a brief advisory on Tuesday but did not indicate if U.S. organizations have been affected yet.

If BadRabbit ransomware infects a system, it demands a 0.05 bitcoin ransom, currently worth about $275, in return for a promised decryption key.

Eastern Europe Outbreak

While BadRabbit is continuing to spread, about 65 percent of infections so far have been seen in Russia and 12 percent in Ukraine, according to Slovakia-based anti-virus vendor ESET. Other affected countries include Bulgaria, Turkey and Japan.

At least so far, however, BadRabbit's scope appears limited. Moscow-based anti-virus firm Kaspersky Lab says it has counted 200 organizations being directly targeted by the ransomware.

But the methods that BadRabbit uses to spread means that its crypto-locking run may continue. "I think this is going to be a headache for some time," Craig Williams, senior technical leader and manager of Cisco's Talos research group, tells Information Security Media Group.

At least one security firm claims it has already found a way to stop a PC from becoming infected with BadRabbit. Cybereason, which develops an endpoint security platform, writes that one of its researchers discovered a way to repel an infection by adjusting settings in Windows. Its workaround requires admin-level Windows access and involves removing permissions for system files that BadRabbit requires to run.

Beware Fake Flash

Whoever is behind the BadRabbit campaign has been using so-called watering hole attacks to spread the ransomware. These types of attacks involve compromising legitimate websites and planting attack code that attempts to infect a user's computer.

ESET has identified nearly two dozens websites that have been compromised. Most have country-code top-level domains for Ukraine, Russia and the Czech Republic, while others are in Japan and Bulgaria. The affected sites have been seeded with malicious JavaScript, ESET says.

Kaspersky Lab says all of the websites that it detected as being compromised are news or media websites. Those types of sites are often sought for watering hole attacks because of the high number of visitors. In addition to the impacted countries cited by ESET, Kaspersky Lab has also seen victims in Germany.

If a user browses to a compromised website, they're redirected to another server and then prompted to install Adobe System's Flash Player. If the user accepts the download, the machine is instead infected with BadRabbit. Baiting people with a fake Flash player is a common way to trick them into downloading malware. "It's a classic exploit," Cisco Talos's Williams says.

BadRabbit spreads in part via a fake Flash update. (Source: ESET)

Watering hole attacks are not the most precise way to target individuals or organizations. Attackers will get a random selection of people who fall for the fake Flash Player ruse. But that may well indicate the motivation behind whoever created or is using BadRabbit.

"I think this is just actually ransomware for profit," Williams says.

Related to NotPetya

Kaspersky Lab says BadRabbit's crypto-locking capabilities appear to be derived from a legitimate utility called DiskCryptor. "It acts as the disk encryption module which also installs the modified bootloader and prevents the normal boot-up process of the infected machine," it says.

The ransomware coders also appear to be fans of the popular Game of Thrones television and book series. "Some of the strings used throughout the code are the names of different characters from this series," according to Kaspersky Lab.

Much of BadRabbit's code appears to be related to NotPetya, a devastating ransomware attack that first began infecting organization on June 27 (see Another Global Ransomware Outbreak Rapidly Spreads).

Cybersecurity firm Crowdstrike, in a statement, says a dynamic link library within BadRabbit and NotPetya share 67 percent of the same code, "giving us reason to believe the same actor is likely behind both attacks."

Likewise, Intezer, a company that studies malware code for similarities, says it "found code reuse from NotPetya throughout different binaries of BadRabbit."

Still, code reuse is common among malware authors, and via reverse engineering it would be possible to copy and reuse code that's been used in other attacks. But the link to NotPetya is interesting given that BadRabbit appears to be primarily seeking Eastern European targets.

NotPetya's Ongoing Impact

NotPetya has caused steep financial losses. The Danish shipping company Maersk estimated that it suffered $200 million to $300 million in damages from NotPetya. And FedEx, which saw its TNT Express service get hit, said in September that recovering from NotPetya would cost $300 million (see Maersk Previews NotPetya Impact: Up to $300 Million).

NotPetya spread through a clever supply chain attack. Attackers seeded the malware within three updates for Ukrainian accounting software called M.E. Doc. If the update was downloaded and installed, it provided attackers with a backdoor onto the system via which they could launch NotPetya (see NotPetya Patient Zero: Ukrainian Accounting Software Vendor).

Once NotPetya had infected a system, it used an exploit called EternalBlue to spread. Security experts suspect that EternalBlue is an exploit developed by the U.S. National Security Administration. It was leaked in April by a hacking group called The Shadow Brokers.

Although NotPetya was ostensibly ransomware, the payment procedure and mechanisms were flawed. If someone paid the ransom, NotPetya's authors had no way to deliver a decryption key. The ransomware also had a disk wiper component, suggesting that it was designed more for destruction than profit (see Latest Ransomware Wave Never Intended to Make Money).

How BadRabbit Spreads

BadRabbit doesn't appear to use EternalBlue to spread; instead, it uses more conventional methods.

"Despite initial reports, we currently have no evidence that the EternalBlue exploit is being utilized to spread the infection," Cisco Talos researchers say in a blog post.

When it infects a system, BadRabbit searches for other computers on the same network, trying to find devices running file-sharing services using Microsoft's Server Message Block, or SMB, protocol. The ransomware is encoded with a list of common or weak credentials that might allow it to log into SMB-connected systems.

Infected computers also get their credentials ransacked. BadRabbit contains a version of Mimikatz, which is a post-exploitation tool that it uses to pull hashes and clear-text credentials from Windows systems.

Ransomware Rampage

BadRabbit is just the latest in a number of large-scale ransomware outbreaks or campaigns.

The biggest ransomware outbreak so far this year has been WannaCry. On May 12, it began infecting hospitals, telecommunications and transportation companies, encrypting files on vulnerable computers that lacked the latest patches. The ransomware worm, which U.S. and U.K. authorities believe was created by North Korea, ultimately spread to 300,000 machines (see Is WannaCry the First Nation-State Ransomware?).

Justin Dolly, chief security officer and chief information officer of security vendor Malwarebytes, tells ISMG that ransomware is not going away.

"The lines continue to move up into the right, both the number of infections and the amount of money that's being paid," Dolly says.

(Executive Editor Mathew Schwartz also contributed to this story.)


About the Author

Jeremy Kirk

Jeremy Kirk

Managing Editor, Security and Technology, ISMG

Jeremy Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.




Around the Network