The third global cyber attack: hackers worked on Bad Rabbit since 2016

Behind the scenes of Bad Rabbit ransomware: how long does it take to launch a worldwide cyber attack?

Bad Rabbit ransomware^[1] attack on the 24th of October is the third global cyber attack launched this year, following WannaCry^[2] outbreak in May and Petya^[3] invasion in June. There’s no doubt that worldwide attacks require lots of preparation and hard work. According to the latest information, the recent cyber attack was planned for at least a year.

Researchers have quickly discovered Bad Rabbit’s relation with Petya ransomware that caused lots of problems for Ukraine’s public sector – both of them share 67% of the same code. The investigation of the virus continues. However, researchers have revealed new interesting information about the preparation of the massive cyber attack that mostly affected Russia and several European countries.

It seems that creators of the Bad Rabbit threat were planning the massive attack since 2016, the recent reports say. RiskIQ analyzed “injection servers”^[4] that were used for implanting fake Adobe Flash Player updates to the compromised websites. According to the research, some of these sites were displaying malicious pop-ups at least since last September. It is assumed that the distribution of Bad Rabbit may have started even earlier.

Malware spread via compromised websites that asks to download fake Adobe Flash Player update

The first reports informed that Bad Rabbit compromised several Russian news outlet websites, including Interfax and Fontanka. However, the list of hacked sites is longer. Besides, the ongoing research might reveal even more infected websites.

On the 24th of October, these sites started displaying a fake Flash Player update prompts. It users clicked “Install” button, the malicious “install_flash_player.exe” file was installed on the computer. Once executed, Bad Rabbit ransomware started its hazardous tasks.

Bad Rabbit virus is the updated and fixed version of Petya

The similarities between Bad Rabbit virus and Petya/NotPetya^[5] malware was quickly noticed. Both cyber threats spread in the same manner, exploit Windows Server Message Block vulnerability and aim at corporation networks. However, the analysis showed that the recent cyber threat includes bug fixes that were left in Petya’s code.^[6]

The main facts about the improved version of the NotPetya virus:

• Spreads as fake Adobe Flash Player update or exploits SMB vulnerability.
• Uses a combination of AES-256-CBC and RSA-2048 encryption algorithm and appends .encrypted file extension to the targeted data.
• Demands 0.05 Bitcoins (approximately $280) for data recovery.
  65% of the attacks were reported in Russia. Ransomware attacked Group-IB IT security firm, financial institutions, and Russian Central Bank.
• About 12% of the Bad Rabbit attacks hit Ukraine. Malware compromised Odessa airport and subway system in Kiev.
• Ransomware attacks were reported in Germany, Poland, Bulgaria and other Eastern European countries, as well as in South Korea, Japan, and the United States.

On October 26th, researchers announced the vaccine for the Bad Rabbit. Learn how to vaccinate your PC here. ^[7] If you suffered from the ransomware attack, you could find removal instructions here. Unfortunately, files encrypted by Bad Rabbit ransomware cannot be decrypted.