Bad Rabbit ransomware spreading in Eastern Europe 'with ties to NotPetya' - updated

Ransomware is installed via a download and can move laterally within a network - but some researchers claim the threat has been blown out of all proportion

Reports have surfaced of a new strain of ransomware called Bad Rabbit beginning to spread in Russia and Ukraine, initially targeting government and media institutions. Infections have also been seen in Turkey and Bulgaria, but the scope of the spread is still unclear.

The malware has affected systems at three Russian websites, including news services Interfax and Fontanka.ru; an airport in Ukraine; and an underground railway in Kiev.

Kaspersky and British IT security company ESET have both mentioned links to NotPetya but could not confirm whether the two strains were related. Kaspersky said:

‘Based on our investigation, this is a targeted attack against corporate networks, using methods similar to those used in the ExPetr [Kaspersky's name for NotPetya] attack. However, we cannot confirm it is related to ExPetr.'

Rik Ferguson, VP of security research at Trend Micro, tweeted that the ‘outbreak' has been blown out of proportion.

Bad Rabbit spreads itself through downloads, requiring a target to take action to install the ransomware - which takes the form of a bogus Adobe Flash installer. Only targets of interest are being infected so far, with We Live Security noting:

‘One of the distribution method of Bad Rabbit is via drive-by download. Some popular websites are compromised and have JavaScript injected in their HTML body or in one of their .js file…

‘Server side logic can determine if the visitor is of interest and then add content to the page. In that case, what we have seen is that a popup asking to download an update for Flash Player is shown in the middle of the page.'

Once installed, the ransomware can move laterally within a network using SMB - similar to NotPetya. Malwarebytes said that the two strains were ‘probably prepared by the same authors':

‘Just like the previous edition, BadRabbit has an infector allowing for lateral movements, using SMB to propagate laterally with a hardcoded list of usernames and passwords. However, unlike NotPetya, it doesn't use EternalBlue and is more widely spread. (Impacted countries include Ukraine, Russia, Turkey, and Bulgaria).'

SentinelOne's chief security consultant, Tony Rowan, told us, ‘This latest outbreak confirms that attackers will reuse old code as long as it still has success. Indications are that this new variant continues to have success.'

Interestingly, Malwarebytes says that Bad Rabbit does not use EternalBlue to spread, while Rowan thinks it does. We have gone back to both for more information.

A vaccine, which involves creating c:\windows\infpub.dat and c:\windows\cscc.dat files, has been found, tested and confirmed by security researcher Amit Serper.

If they are infected, users are redirected to a TOR domain where they are asked to pay .05 Bitcoin (about $280), with a countdown to an increase in price. It is not yet clear whether users will get their files back or if, like NotPetya, they will simply be destroyed. Infected users have been advised not to pay the ransom.

Researcher Kevin Beaumont discovered that the author(s) appear to be fans of Game of Thrones; BadRabbit creates scheduled tasks named after Daenerys Targaryen's dragons, Drogon, Rhaegal and Viserion, as well as a reference to the Unsullied fighter Grey Worm (very different to the skin disease greyscale).

So far, two-thirds of infections have been seen in Russia, and just over 12 per cent in Ukraine.

Update 27/10/17: Shimon Noam Oren, head of cyber intelligence at Deep Instinct, has confirmed to us that Bad Rabbit does not use EternalBlue:

"Bad-Rabbit isn't using EternalBlue. There has been some confusion around this because it is trying to spread through SMB, but it is using brute-forcing and common username/passwords - not exploiting the recent related vulnerabilities."