What Is Bad Rabbit? Petya-Style Ransomware Attack Hits Russia, Ukraine
Security researchers reported Tuesday a new wave of potentially destructive ransomware known as Bad Rabbit. The malicious attack spread quickly across computer systems in Eastern Europe, including targets in Russia and Ukraine, and has been detected in the United States.
The outbreak of Bad Rabbit, which reportedly bears some similarity to the damaging Petya/NotPetya wiper attack that spread earlier this year, resulted in service outages at news agencies, train stations and airports among other organizations.
Details are still sparse when it comes to Bad Rabbit. The origin of the attack is unknown for the time being, and Russia-based cybersecurity firm Kaspersky Lab reported the attack represented a new strain of ransomware that had not previously been identified.
The attack is believed to have spread through what are known as drive-by attacks. Such attacks occur when threat actors plan malicious scripts or code into an insecure web page. That script can often download the malicious software directly to the computer of a person who visits the site or redirect the visitor to a site that serves up the ransomware.
In the case of Bad Rabbit, the drive-by attacks appear to have been set up on a number of Russian news and media websites. CrowdStrike Intelligence, an American cybersecurity firm, traced the origin of the attack to argumentiru.com, Russian and Eastern European news and celebrity gossip site that was discovered to be hosting the malicious code.
According to Kaspersky, no exploits were used to install Bad Rabbit onto a victim’s system—a person would have to manually execute the malware dropper, which presented itself as an Adobe Flash installer.
The ransomware dropper was distributed with the help of drive-by attacks. While the target is visiting a legitimate website, a malware dropper is being downloaded from the threat actor’s infrastructure. No exploits were used, so the victim would have to manually execute the malware dropper, which pretends to be an Adobe Flash installer.
Once a victim is infected by Bad Rabbit, the malware begins to compromise the machine. Once the ransomware has installed on the machine, the victim of the attack is presented with a black screen with red text similar in appearance to the Petya attack.
The text informs the victim that, like with most ransomware attacks, the malicious software has encrypted the user’s files and made them inaccessible. The attack then demands the victim pay 0.05 Bitcoin, or about $280, in order to regain access to their files. A timer is presented on screen that counts down, threatening that the ransom price will go up when the clock hits zero.
Security researcher Kevin Beaumont also noted that Bad Rabbit creates two scheduled tasks on an infected machine, both of which are references to the HBO show “Game of Thrones.” One task is named “drogon” and another is named “rhaegal.”
Researcher Kevin Beaumont has posted a screenshot that shows Bad Rabbit creating tasks in Windows named after the dragons Drogon and Rhaegal in TV series Game of Thrones.
Jakub Kroustek, Malware Analyst at security firm Avast, told International Business Times the company has classified Bad Rabbit as malware and said the attack has been detected in Russia, Ukraine, Poland South Korea and the U.S., with Russia and Ukraine receiving the brunt of the campaign.
“The total prevalence of known samples is quite low compared to the other ‘common’ strains,” Kroustek said, though noted Avast would continue to monitor the situation.
Kaspersky also suggested Bad Rabbit isn’t as widespread of some of its predecessors like WannaCry—the ransomware attack that infected more than one million machines earlier this year—or Petya, a wiper attack disguised as ransomware that destroyed more than 12,500 machines in Ukraine alone when it began spreading in June. According to the Russian cybersecurity firm, Bad Rabbit has targeted about 200 organizations thus far, though the attack can still spread.
Many of those targets have been high-profile organizations that have proven Bad Rabbit to be disruptive and destructive. Russian news agency Interfax reported on Twitter the attack had taken out a number of its servers, while Russian forensics company Group-IB confirmed the attack infected at least two other Russian media outlets.
In Ukraine, critical transportation services have been knocked offline, including the Kiev Metro—the main mode of public transport in the capital city. Odessa International Airport was also hit by Bad Rabbit, according to security firm ESET.
“It's important to separate the infection vector and spreading mechanisms from the payload,” Ben Johnson, co-founder and chief technology officer for Obsidian Security, told IBT.
“In the past, worms and other malware would spread more covertly, but with ransomware, the primary goal is to be detected. It's a more in your face cyber attack than in the past. For the infection vector, attackers are getting smarter about how they compromise more systems, and we will continue to see campaigns like this because they work.”
Johnson also warned that Bad Rabbit, like it’s apparent predecessor Petya, may not actually be a financially motivated attack despite appearing to be ransomware designed to extract payment from victims.
“Perhaps ransomware is a nice distraction, or it generates some extra cash, but rather there is a more sinister payload embedded in the attack,” the former NSA computer scientist said.
While Johnson noted he hadn’t seen any technical information to confirm the suspicion, it would not be out of line with what occurred with the Petya attack. Despite Petya presenting a screen that promised to decrypt files in exchange for a ransom payment, the attack would simply wipe a victim’s system regardless if they paid the fee or not.
Rod Soto, the director of security research at artificial intelligence-based cybersecurity firm JASK, echoed Johnson’s concerns that Bad Rabbit may be more than just a ransomware campaign.
“It may look like a ransomware campaign by appearance, but actual payloads may differ depending on actual targets,” Soto said. He suggested paying “special attention” to the companies and organizations affected by the attack and examining the code from each payload.
“This can only be determined by looking at all distributed malicious code, which is not easy, but circumstantial and geopolitical factors may give us a clue,” he said.
While Bad Rabbit has been identified, the attack is likely to continue its spread to systems that are not protected. According to VirusTotal, a service that shows what anti-virus software detects certain threats, less than half of all major anti-virus programs currently detect the ransomware attack at the time of publication.
"The danger in new ransomware variants is the potential for spread to vulnerable devices. Where endpoints are not yet updated to detect these zero-day attacks, cloud app threat protection can serve as an organization's first line of defense,” Rich Campagna, CEO of cloud security firm Bitglass told IBT.
“As ransomware evolves and becomes more potent, the ability to identify malware in the cloud based on the characteristics of a file as opposed to hash or signature-based scans can prove critical," he said.
© Copyright IBTimes 2024. All rights reserved.