'Bad Rabbit' Shows Dangerous Trend In Ransomware Attacks

'Bad Rabbit' Shows Dangerous Trend In Ransomware Attacks

The latest series of ransomware attacks has begun to spread across Europe.

According to reports, the virus has infected hundreds of servers of major organizations, primarily in Russia, Ukraine, Turkey, and Germany.

Dubbed ‘Bad Rabbit,’ this ransomware bears similarities to the NotPetya attack from last June that caused billions of dollars in damages to victims. Even the phrases that appear on the victim's screen informing them that their computers have been compromised show similarities to NotPetya. Bad Rabbit, like other ransomware, works by encrypting data on infected machines and demanding payment for unlocking files, in this case 0.05 bitcoin, about $330.

While the technical details of the attack are intriguing, from a broader view, the attack speaks to the growing trend of increasingly sophisticated malware campaigns.

Apparently, this campaign was highly specified and chose its victims carefully. According to a report by Kaspersky Labs, the criminals behind Bad Rabbit conducted a highly targeted effort against “corporate networks.” The method chosen for infecting the computers was a tactic known as a “drive-by” which involves a hacker identifying weak sites that the victim is likely to visit and plants malware on the site’s pages. Thus when the victim performs certain functions on the site, he or she knowingly gives the command to download the virus.  

Bad Rabbit in this way marks the next milestone in the development of ransomware campaigns. It bears striking resemblance to strategies used by criminals in the infamous WannaCry epidemic and later in the series of Defray attacks earlier this year. Both of these campaigns were also very specific in their targeting, homing in on large organizations, and resulting in the closure of basic public services. Defray came with an additional element to help focus the attacks. Hackers used custom tailored word files sent in phishing emails containing the malicious code.

Another point worth mentioning is that the details of the attack negate many of the usual suspects. Since many of the victims were major Russian firms, it is unlikely that the attack originated in that country. The victims in Ukraine suggest that it is not connected to the now years-old nationalist oriented feud between the Ukraine and Russia. Furthermore, unique to other ransom attacks, Bad Rabbit seems not to be capitalizing on the Eternal Blue exploit, a vulnerability on the Windows operating system allegedly developed by the NSA and later stolen by the notorious hacker group known as the Shadow Brokers.  

These unconventional elements of Bad Rabbit suggest two things: First, is a diversification of actors that have the capabilities to execute these attacks. Second is the sharpening of “standard” methods used to execute ransomware campaigns. These attacks will become more and more targeted, and hackers will continue to develop more innovative techniques to fool victims.

All of this highlights, of course, the importance of user education and the spread of best practices compliance. In malware epidemics, a handful of negligent moves can open the floodgates for the virus to spread laterally through large, even international networks. As one poignant example, consider the fact that Microsoft had issued a patch for the Eternal Blue exploit over a month before the WannaCry epidemic struck. Those who were diligent in implementing the patch were not affected by the ransomware.

This alone can give some hope to the global community of users for a solid wall of defense against the constantly evolving slew of cyber threats.