The next battle in the fight against ransomware suddenly began on Tuesday, October 26 as multiple high-level targets across Eastern Europe were hit simultaneously. Dubbed Bad Rabbit, this cyber-attack mainly targeted Russian and Ukrainian firms and individuals, but reports filtered in from as far away as South Korea, Germany, and Turkey.
After a flurry of activity and reporting, the attack appears to have ended as suddenly as it began, but this lull in the action is likely intentional on the part of the hackers. Perhaps they felt that it was too much attention or they had played their hand too early. Perhaps it was little more than a preemptive test for another attack.
Concrete details are relatively few at the time of this reporting, but what is known is that the command and control servers — the machines actually executing the attack, encrypting the victims’ files, and processing the ransom payments — have either been shut down by the hackers themselves or taken offline by their hosting providers. Either way, the attack has entered a sort of ceasefire for the moment, but that is not to imply that the malware is not continuing to spread. The rate of infection has slowed, but the malware is likely still infecting computers.
With the shock of the attack wearing off, security firms are beginning to weave a cogent narrative detailing the likely identities and associations of the hackers. This process of fitting the pieces together will take weeks if not months due to the sudden cessation of rapid infection and execution. However, security experts expect the final story to follow this framework even if some of the more minor details change as new information emerges.
What Is Bad Rabbit?
Like other ransomware, Bad Rabbit is designed to extract some sort of payment or ransom out of its victims. Instead of a kidnapping victim, this type of malware holds computer files hostage by encrypting them. The virus presents a popup message with detailed instructions for how to submit the ransom payment. Whether or not the hackers live up to their end of this one-sided bargain ultimately depends on the individuals — some victims never receive a decryption key even after providing the requested ransom payment while others have their files deleted outright.
Such attacks are on the rise due to anonymous cryptocurrencies such as Bitcoin and Ethereum. Unlike traditional currencies, which are highly regulated and more easily tracked, cryptocurrencies can quickly disappear on the dark web and switch owners at a lightning pace. This money can then be exchanged for a traditional currency, used to purchase goods or services at a limited number of legitimate businesses, or used to purchase criminal goods and services on the dark web.
Victims who wish to decrypt their files must send a Bitcoin ransom to a Tor site, but because the command and control infrastructure has been taken offline, there is no way to receive the second code to begin the decryption process. In effect, most Bad Rabbit victims never even had the opportunity to pay the ransom in the first place.
Bad Rabbit is thought to be the latest malware from the hackers behind NotPetya, which was first identified in early 2016. Both varieties share a great deal of their code — similar to how viruses might mutate in real life while retaining most of their genetic code. It’s possible another group of hackers modified the NotPetya code, but right now all signs indicate that the hackers behind both attacks are one and the same.
This malware also exploits an SMB security vulnerability called EternalRomance in older, unpatched versions of Windows. The NSA originally developed EternalRomance years ago, but since it was leaked, hackers have taken advantage of it in numerous malware attacks. The good news is that this vulnerability was patched some time ago, but for users who haven’t updated their operating systems in a few months, Bad Rabbit can quickly spread across a network to other vulnerable machines. However, even updated copies of Windows are still vulnerable to the website hack.
The last pieces of evidence indicating authorship are the use of DiskCryptor to encrypt hard drives and the inclusion of wiper code that will delete files if the ransom goes unpaid. Both pieces of code were included in the earlier NotPetya attack. Taken together, this evidence almost certainly points to the NotPetya authors.
Security researchers initially believed that Bad Rabbit included the now-infamous EternalBlue exploit, which made WannaCry one of the most effective ransomware attacks and served as a wake up call to the security community. However, Bad Rabbit does not use this particular exploit.
Standard Precautions Work
As always, the best protection against Bad Rabbit and other malware is to practice commonsense browsing habits when visiting websites — even trusted websites. Never click a third party website prompt to update software. Go to the original website instead to download the newest version of the software, or use a client that automatically keeps your software up-to-date without any interaction.
Updating Windows won’t always protect individual computers from malware, but as in the case of Bad Rabbit, it can prevent the malware from spreading to other machines on your network, which can keep a potential headache from spiralling into a business-halting disaster. Also, regular backups allow you to easily restore files in a matter of hours so that you will only lose a few days or weeks of work instead of months or years.
What It Can’t Do
Bad Rabbit can encrypt and decrypt hard drives and spread laterally across a vulnerable network, but that is about the extent of its capabilities. Victims need not worry about sensitive information falling into the wrong hands due to this malware, nor do they need to worry about the presence of keyloggers or other compromising attacks.
The Intended Targets
While information is still emerging about the extent of Bad Rabbit’s damage, it appears that Russia was the primary target. Russian media companies in particular bore the brunt of the attack, and Ukrainian energy infrastructure was also hard hit. Only Russian-language websites were hacked to spread the malicious code, so the effects outside of Eastern Europe have been light to nonexistent.
Also critical to limiting the attack’s potential damage was its relatively short time frame. Other ransom attacks have lasted weeks, but Bad Rabbit started and abruptly stopped within a 24-hour period. On one hand, the attack’s short duration minimized financial damages, but on the other, researchers have less evidence to examine. As a result, Bad Rabbit’s potential to help prevent future ransom attacks is limited.
Ransom as the Preferred Method of Attack
A decade ago, most financial damage was limited to relatively simple scam and phishing attacks, which required victims to inadvertently reveal passwords, bank account numbers, or other sensitive information. Ransom-based attacks are something else entirely. Since 2012, they have become far more sophisticated, and they continue to grow at an exponential rate each year. In just two short years, ransom-based attacks have grown from a $350 million criminal enterprise to a $5 billion one in 2017.
Fortunately, Bad Rabbit had a negligible impact on North American businesses, but the next attack could target any region at any time. The most effective mitigation strategy involves preventing infections in the first place, and ultimately, employee education is critical in this endeavor. The most technologically secure network in the world is still inherently vulnerable because of human error, and just a few hours of employee training each quarter can reap dividends in network security.