A new ransomware strain dubbed Bad Rabbit rippled across Russia and eastern Europe early Tuesday morning. The malware, which appears to have ties to this summer's ExPetr/NotPetya ransomware attacks, mostly hit machines in Russia but attacks against targets in Ukraine, Turkey, Germany, and Bulgaria were also observed by researchers.
Victims in Ukraine included the nation’s third largest airport - the Odessa International Airport, and Kiev’s Metro rapid transit system. According to Reuters several flights were delayed because airport workers had to input passenger data manually. According to Metro officials the attack affected its payment card system. A notice posted to its site said the subway was working but that users planning to pay with bank cards, or a MetroPass, a service that allows commuters to pay for trips in advance, should seek alternate forms of payment.
InterFax, a Russian business newswire, was one of the first corporations to publicly admit it was hit on Tuesday. The director of the company's Financial and Business Information Service, Yuri Pogorely, said InterFax was experiencing an "unprecedented virus attack," on his Facebook page Tuesday morning. Officials with InterFax said on Twitter its servers were experiencing a "hacker attack." While the site was unavailable much of Tuesday morning, it was back online Tuesday afternoon. Fontanka, a Russian news service based in St. Petersburg, was reportedly also hit by the ransomware. The company’s site was also offline Tuesday; a notice posted to its Facebook profile said its “server was attacked,” and that it would likely “not be available for several hours.”
Ukraine’s state-run Computer Emergency Response Team (CERT) warned of a rash of Ukrainian cyberattacks first thing Tuesday morning but didn't explicitly say they were tied to the Bad Rabbit ransomware. The United States Computer Emergency Readiness Team (US-CERT) also warned of Bad Rabbit late Tuesday, discouraging victims, individuals and organizations alike, from paying the ransom.
Once infected Bad Rabbit requires victims to navigate to a Tor Hidden Service and pay attackers a fraction of a Bitcoin - 0.05 BTC - roughly $275. A ticking clock and message displayed alongside the ransom message warns the ransom will increase after a set time has elapsed.
Researchers called Bad Rabbit a previously unknown ransomware family Tuesday morning but alluded the malware bears some similarities to ExPetr, or NotPetya, the ransomware that sparked a series of cyberattacks across the globe in June. Victims of NotPetya included global transport and logistics conglomerate Maersk, pharmaceutical company Merck, and the advertising agency WPP
Researchers with Kaspersky Lab, who reportedly saw almost 200 targets of Bad Rabbit on Tuesday, said the ransomware is primarily spread via drive-by attacks. Victims are redirected from legitimate news websites to a site that downloads a fake version of Adobe's Flash Player. Users then have to manually install the .exe file in order to be infected. A malicious .DLL, infpub.dat, is saved and launched, but not before it downloads another malicious executable, dispci.exe. infpub.dat encrypts the machine's data with a RSA-2048 key. dispci.exe acts as the disk encryption module and installs a modified bootloader, something that prevents the machine from booting up as usual.
Where Bad Rabbit really draws comparisons to ExPetr, or NotPetya, is its hashing routine. Kaspersky Lab researchers say the ransomware enumerates all running processes and compares the hashed name of each process with embedded hash values.
Interestingly, the malware’s code contains several strings that reference Game of Thrones characters, including dragons Viserion, Drogon, and Rhaegal, researchers claim. Furthermore, bits of dispci.exe appear to be modeled off of code belonging to DiskCryptor, a legitimate and open source whole disk utility used to secure laptops, desktops, and servers.
Researchers with the security firm ESET dubbed the malware Diskcoder.D - a variant of NotPetya - and said Tuesday it has the ability to spread via Microsoft Server Message Block protocol shares. The malware also spreads via the Windows Management Instrumentation Command-Line, or WMIC, utility, using stolen credentials through Mimikatz, another open source tool, researchers say.
#BADRABBIT drops & executes c:\windows\infpub.dat by ordinal function
Expecting many similarities to #EternalPetya c:\Windows\perfc.dat https://t.co/89ELmBEA3E— Nick Carr (@ItsReallyNick) October 24, 2017
Unlike NotPetya, experts say Bad Rabbit does not leverage EternalBlue, the exploit believed to be developed by the NSA behind this summer's WannaCry and NotPetya ransomware campaigns. Microsoft patched EternalBlue with a security bulletin in March but many victims running Windows, especially Windows 7, Windows 8.1, Windows 10, Windows Server 2008, Windows Server 2012, and Windows Server 2016, failed to patch, which opened the door for the ransomware to propagate.
In the weeks following the NotPetya attacks, researchers, including Kaspersky Lab's Juan Andres Guerrero-Saade, along with Comae Technologies founder Matt Suiche, said the malware wasn't really ransomware at all. Instead the researchers classified the threat as a wiper. Since it wasn't entirely clear the attacker could decrypt victims files, even if a payment was made, the sole intent of the malware was sabotage, the researchers maintained.
As is the case with many strains of new ransomware, it’s unclear whether users affected by Bad Rabbit can - or will be able to - retrieve their files after they’ve been encrypted. The intent of the attackers, along with what happens if a victim actually pays the ransom, will likely take a few days to come to light, if at all.
