Close this search box.

Throwback Attack: Bad Rabbit ransomware hops across Europe

A hacker in the background.
Courtesy: CFE Media and Technology

In 1989, the first known ransomware attack occurred; 33 years later we are still being faced with more varied and complex ransomware incursions. Over the years, threat actors have found innovative ways to exploit vulnerabilities in systems worldwide. Some attackers even use old malware or code and revamp it to make it more dangerous and harder to detect. There have been many variants of hard-hitting malware throughout the years, including Bad Rabbit ransomware.

The Bad Rabbit ransomware attack was able to reach multiple countries and is believed to be a variant of the Petya ransomware. Petya and NotPetya, a well-known variant of Petya, affected thousands of people. Bad Rabbit was first spotted in October of 2017, not long after Petya and NotPetya were discovered, and was used to attack around eight European countries.

The Bad Rabbit ransomware attack

On Oct. 24, 2017, mass ransomware attacks started hitting organizations and consumers primarily in Russia but also in Ukraine, Bulgaria, Turkey, Estonia, Germany, Hungary, Japan and Slovakia. This was the third major spread of ransomware that year that impacted many of the same targets.

Experts from TrendMicro reported, “the main casualties as transport systems and media outlets in Ukraine and Russia.” Bad Rabbit hit critical infrastructure organizations in the transportation sector in Ukraine, causing flight delays because the passenger data had to be manually processed. Ukraine’s subway system was also affected, as there were payment delays on customer service terminals.

The attacker demanded 0.05 bitcoin as ransom, which was around $280 at the then-exchange rate. The Ukrainian arm of CERT (CERT-UA) issued an advisory warning of further potential ransomware attacks, saying that more may be imminent. According to a SecureList article, there were almost 200 targets of this attack. The primary attack lasted only until midday on Oct. 24, except for ongoing attacks in Moscow that continued through the evening.

Most ransomware attacks end up deleting any information the attackers steal; however, Bad Rabbit didn’t delete shadow copies or backups after encrypting victims’ files, which means there was a chance of restoring the original versions as long as the whole disk wasn’t encrypted.

The Bad Rabbit ransomware attacks were not officially attributed to a particular hacker or hacking group, but due to the numerous similarities to NotPetya, researchers were led to believe that they came from the same source. There was no conclusive evidence to support that the attacks were state funded, either.

Breakdown of the ransomware

Similar to other strains of ransomware, the Bad Rabbit virus locked up victims’ computers, servers or files until the victim paid the ransom. The malware was disguised as an Adobe Flash Installer and traveled through drive-by downloads on compromised websites. The victim would think they were updating their Adobe Flash, but they were really downloading malware because the attackers were able to inject JavaScript into the infected site’s HTML code.

While the downloaded file looked safe, once it was opened, the installer displayed a ransom note and a payment page demanding 0.5 bitcoin within 40 hours or their files would be lost. According to the same TrendMicro article, “Bad Rabbit uses a trio of files referencing the show Game of Thrones, starting with rhaegal.job, which is responsible for executing the decryptor file, as well as a second job file, drogon.job, that is responsible for shutting down the victim’s machine.”

Once Bad Rabbit infected a computer, it started spreading across the network by using lists of common username and password combinations to force its way onto other systems. If these brute-force attacks failed, it then exploited the EternalRomance SMB vulnerability. Among the tools Bad Rabbit reportedly incorporated was the open-source utility Mimikatz, which is used for credential extraction. There were also traces of DiskCryptor, a legitimate disk encryption tool, used to encrypt the target systems.

TrendMicro also stated, “We surmise that the exploit used in Bad Rabbit is a customized version of EternalSynergy, as it shares the same Memory Leak technique that EternalSynergy uses.” The EternalSynergy and EternalChampion, the weaknesses in how Windows implemented the Server Message Block (SMB) protocol, exploits were publicly released by the original Shadow Brokers earlier in the same year as the Bad Rabbit attack.

Bad Rabbit is another example of how even ransomware attacks that seemingly get thwarted are never really gone. They tend to come back multiple times, evolving as they go. Luckily, there are ways to combat this specific ransomware attack now, and cybersecurity experts and their methods continue to evolve along with attackers’ techniques.




Keep your finger on the pulse of top industry news