Bad Rabbit ransomware spreads in Ukraine and Russia via fake Adobe Flash update
- Researchers continue to investigate the Bad Rabbit ransomware which has been targeting countries including Russia and Ukraine since early this week.
- Amongst the discoveries, Cisco observed that the ransomware uses the EternalRomance exploit to propagate in the network. This is contrary to initial reports which claimed that unlike the NotPetya malware, Bad Rabbit did not leverage any of the alleged NSA exploits leaked by the Shadow Brokers.
- Separately, FireEye notes that several of the compromised sites redirecting targets to the domain that delivered the malware dropper, have also been hosting the Backswing framework. Backswing is used to collect information on a user’s browsing session and send these to a C&C server.
- Initially targeting Russia and Ukraine, Bad Rabbit now reportedly infected entities in more countries including Turkey, Bulgaria and the US.
- Researchers continue to debate on the relationship between Bad Rabbit and the NotPetya trojan, with many claiming that the former is a new variant of the latter. This theory is based on similarities including the fact that they both use SMB to spread, create scheduled tasks to reboot the system, and share some seemingly identical functionality and code.
INITIAL REPORT 25/10
- Reports suggest that Bad Rabbit shares similarities with the NotPetya ransomware. It is distributed via drive-by-download, a method by which some popular websites have been compromised and then had malicious JS injected in their HTML body.
- Infected websites display a popup asking the target to download a fake Flash Player update. Once initiated, the executable locks a their machine and displays the ransom note. This redirects victims to an onion site which initially demands a 0.05 bitcoin ransom, increasing gradually until the victim pays.
- Bad Rabbit spreads laterally via SMB, but does not exploit EternalBlue like NotPetya. It drops copies of itself using its original name and executes them using Windows Management Instrumentation (WMI) and Service Control Manager Remote Protocol. Bad Rabbit also contains additional binaries such as Mimikatz to harvest credentials, and DiskCryptor to encrypt target systems.
- Organisations affected so far include the Kiev Metro, Odessa naval port, Odessa airport, Ukraine’s ministries of infrastructure and finance, and Russian media organisations including Interfax. ESET adds that the dropper component has only been seen targeting Ukrainian organisations 12.2% of cases. 65% of sightings however, have been made on occasions it has been targeting Russian organisations.
Below are screenshots showcasing a typical Silobreaker OSINT workflow in which Silobreaker continuously alerts, analyses, monitors and visualises mentions of Bad Rabbit Ransomware from hundreds of thousands of open sources in real time.
Screenshot 1 – Silobreaker Network – Real-time link analysis leveraging unstructured open source data to detect relationships between various entities. This link analysis gives timely and intuitive insights into the associations surrounding Bad Rabbit.
Screenshot 2 – Silobreaker Time Series – Monitoring “Bad Rabbit Ransomware” from first mention to how articles are breaking and developing over time. As you can see, Silobreaker first noticed a mention of this ransomware almost a full day prior to general discovery.
Screenshot 3 – Silobreaker Heat – Automated monitoring and detection of specific entity types related to Bad Rabbit. In this instance – Indicators, Countries Affected and Organisations Affected.
Screenshot 4 – Silobreaker Dashboard focusing on contextualising the vast amounts of data being published on Pastebin related to Bad Rabbit.
To see further analysis of Bad Rabbit and other cyber threats to your organisation in Silobreaker, book an online demo today.
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.