BadRabbit: Not All Ransomware Created Equal

27 Oct 2017 - Research and Analysis

A new worm-able strain of ransomware dubbed BadRabbbit emerged this week, infecting hundreds endpoints and organizations, mostly in Russia.

Many in the industry are comparing the threat to the global WannaCry and Petya ransomware outbreaks, although the analogy seems imperfect at best. Coverage—both in the media and from research outlets—could be fairly described as hyperbolic. The bottom line is this: if NotPetya and WannaCry were tsunamis, BadRabbit is a ripple.

What seems crystal clear is that we are entering into an era where global, worm-enabled ransomware outbreaks are increasingly normal. That said, this outbreak seems to pale in comparison to the NotPetya and WannaCry incidents. Ultimately, the information security media and research community seem to be overhyping the BadRabbit outbreak, which seems to have infected hundreds or maybe thousands of machines.

Let’s start with the starkest similarities: all of the incidents ostensibly involve ransomware, could be fairly characterized as worm-like, and relied in part on leaked Equation Group exploits.

Curiously, neither the WannaCry outbreak, thought to have been conducted at the behest of the North Korean government, which was supposedly attempting to collect ransom payments to gather revenue in an effort to bolster losses that have arisen as a result of Western sanctions, nor NotPetya, thought to have been an operation carried out by Russian, state-sponsored hackers for purposes that have never been clearly articulated (beyond largely targeting major economic assets in Ukraine, a country with which Russia is engaged in a long-standing conflict), managed to gather any meaningful amount of ransom payments.

So first, if we believe the prevailing narratives, we have is two vaunted, state-run hacking groups executing sophisticated, global ransomware schemes—both involving a suspected NSA exploit and worming capabilities and one (NotPetya) involving a well-thought-out supply chain attack (targeting Ukrainian tax software maker M.E.Doc)—and failing to monetize it.

Now we have a third such attack in BadRabbit, albeit it on a much smaller scale. Some research suggests that the strain of ransomware is an update to the Petya ransomware and that the same group carried out both campaigns. Interestingly, BadRabbit too may be failing in its effort to attract ransom payments. Beyond what’s already said here, the threat bears at least two more similarities to these prior attacks in its use of a variant of the Mimikatz credential extractor (also used in the case of NotPetya) and in its reliance on the server message block protocol (exploited in both WannaCry and NotPetya). These same comparisons could be drawn to numerous other malware campaigns.

In every case, there’s been a fixation on attribution, and that fixation is, per usual, misplaced. What actually matters is neutralizing the threat, and we’re still talking about this, despite the threat being apparently neutralized. According to numerous sources, BadRabbit’s command and control servers fell offline as of Tuesday. Most infections are said to have occurred within hours of the first infection.

The initial infection vectors for BadRabbit were drive-by downloads embedded on websites (known as watering hole attacks or strategic Web compromises) based in Russia, Bulgaria, and Turkey. The vast majority of victims are located in Russia, with additional infections reported in Ukraine, Turkey, Japan, Bulgaria, the United States, and Germany. The drive-by downloads masqueraded as fake Flash Player updates containing malicious JavaScript. Once BadRabbit infected an endpoint, it is said to use a Mimikatz variant to extract credentials from the affected system or otherwise use hard-coded credentials to access, and spread through the victim network via, the server message block protocol. While the threat didn’t use ETERNALBLUE, it did leverage a related Equation Group server message block exploit called ETERNALROMANCE to move laterally. The ransomware requests .05 Bitcoin (~$277).

Also worth noting that, unlike WannaCry and NotPetya, the victims of BadRabbit had to agree to install the ransomware themselves, although it masqueraded as an update. This is a an important contrast to WannaCry, which used a sophisticated SMB exploit, and NotPetya, which was embedded in an otherwise legitimate M.E.Doc update.

Maybe we’re missing something, but it’s hard to say what makes this different than many other malware incidents that infected hundreds or maybe thousands of machines. WannaCry infected hundreds of thousands of machines; Petya infected fewer, somewhere south of 100,000 machines, but reportedly ended up costing at least two companies hundreds of millions of dollars each.

The vulnerabilities underlying the ETERNAL-line of equation group exploits have all been patched. Many of them have also showed up in multiple malware campaigns. Patch your machines. Drive-by downloads and malicious Flash Player updates have been a normal occurrence for years. Educate your employees. Mimikatz might be the most popular post-exploitation tool on the Internet. Your antivirus or other security products should probably detect and block it. If your organization is doing security right, BadRabbit infects one machine: the one whose user agreed to install a bogus Flash Player update.

Transform Your Siloed Security Operations into a Holistic Security Operations Program

Get in Touch Group