Bad Rabbit - a variation on a theme?
Imitation is the sincerest form of flattery, as the old saying goes, or at least the hackers behind the latest global malware attack with alleged similarities to Not-Petya and WannaCry certainly seem to think so too.
A swathe of enterprises have reported ransomware attacks from what appears to be the same strain of malware, the current tally is reportedly more than 200 targets, including media organisations, an airport and an underground railway, all in either Russia or Eastern Europe, with a few outlier incidents in Turkey and Germany.
Luckily the UK seems to be clear so far, with a statement from the National Cyber Security Centre claiming: “We are aware of a cyber incident affecting a number of countries around the world. The NCSC has not received any reports that the UK has been affected by this latest malware attack. We are monitoring the situation and working with our partners to better understand the threat.”
The malware spreads through a drive-by-attack, which involves a fake Adobe Flash update, which the user manually launches, running the .exe file. Once a PC has been infected, the malware uses worm-like functionality to spread laterally through networks, hunting for passwords and also attempting to brute force logins by using a ‘bad password’ list. Finally, the malware encrypts the host machine, and also the MBR (Master Boot Record), before triggering a 0.05 bitcoin ransom demand - equivalent to £216. The ransom is now collected via a Tor-protected online portal, rather than Not-Petya’s highly improbable email-based scheme, which was shutdown rapidly when the former surfaced back in June.
Perhaps more interestingly, the similarities to Not-Petya/ExPetr have led many to conclude that the same creator was behind both attacks. Although - as opposed to some public claims - it does not use the EthernalBlue vulnerability like Not-Petya outbreak, there are many similarities.
Kaspersky commented that some of the code in the two samples is the same, while “Other similarities include the same list of domains used for the drive-by attack as well as the same techniques used for spreading the malware throughout corporate networks — both attacks used Windows Management Instrumentation Command-line (WMIC) for that purpose.”
The company recommends users Block the execution of files c:\windows\infpub.dat and c:\Windows\cscc.dat, as well as disable WMI service (if possible in your environment) to prevent the malware from spreading.
Given the success of Not-Petya, it’s not entirely surprising that the code would be reused by attackers, and the improved ransom-gathering setup points to a more commercially-minded setup.
Indeed, a recent report identified a 2,502 per cent increase in ransomware software sales from 2016 to 2017, which the researchers extrapolated to equal around $6.2 million in sales, up from the year’s previous total of about $250,000. The researchers from Carbon Black found more than 6,300 marketplaces currently offering ransomware.
Ilia Kolochenko, CEO of web security company High-Tech Bridge commented on the scourge of ransomware: “Ransomware is a simple and reliable way to get money from cybercrime. We should expect that ransomware will continue its growth and will stay with us over the next decade at least.
“Many organizations and individuals have abandoned machines they have not updated for years for various reasons, from overt negligence to complicated business processes and compliance. Worse, many large companies and governmental organizations don’t even have a comprehensive and up2date inventory of their digital assets, and are not even aware that such systems exist. Professional cybercriminals also start leveraging recent vulnerabilities and advanced exploitation and encrypting techniques in their campaigns, making ransomware a headache even for companies with well-managed cybersecurity.”
Based on this week’s events, it seems likely we’ve not heard the last from Not-Petya’s creator(s), or at least the code they designed…