Security experts reported that contrary to their initial reports, the Bad Rabbit ransomware leverages an exploit which is linked to the U.S. National Security Agency (NSA).
Identically to the malicious NotPetya wiper, the Bad Rabbit ransomware also uses the Server Message Block (SMB) protocol to spread within the compromised network. However, the researchers used to think that unlike NotPetya, Bad Rabbit did not use neither the EternalBlue, nor the EternalRomance exploit.
Yet, now the experts confirm that while the Bad Rabbit ransomware does not use EternalBlue, it actually leverages EternalRomance to spread in the network.
Microsoft addressed the EternalRomance vulnerability in March 2017, this year, releasing a security bulletin which also patched the EternalChampion, EternalBlue and EternalSynergy exploits.
The Shadow Brokers hacker group made public some details of these flaws in April, this year. The group claims that they have obtained these and many other exploits from the NSA and that they were used by one of the agency’s teams known as the Equation Group.
Soon after the flaws went public, Microsoft announced that they had already been fixed which suggested that the corporation was informed about the vulnerabilities by the NSA itself.
According to the initial analysis, there were numerous connections between Bad Rabbit and NotPetya, including their targets – Ukraine and Russia, binaries signed with expired certificates, use of Mimikatz for credential-grabbing, reboots and persistence via scheduled tasks, removal of event logs and USN change journals, as well as the same type of file encryption and ransomware functionality.
However, the most significant difference between Bad Rabbit and NotPetya is the fact that Bad Rabbit turns out to be a real ransomware and users files can be recovered after paying the ransom. While NotPetya has been classified as a wiper due to the fact that the ransom payment functionality is not implemented properly which makes the files recovery impossible.
Another big difference between the two threats is the fact that Bad Rabbit mostly affected enterprises, particularly in Russia. Though, many of the victims in Ukraine were high-profile organizations.
The NotPetya wiper has been linked to the Russian threat known as BlackEnergy, TeleBots and Sandworm Team, suggesting that the same cyber gang may be behind the Bad Rabbit attacks as well.
According to the analysis of the Bad Rabbit infrastructure, some of the compromised domains used in the attack had been set up since at least July, while some of the injection servers were spotted more than a year ago.