A new report on the BadRabbit ransomware campaign that sprang up earlier this week has revealed that BadRabbit is most likely derived from NotPetya, based on clues in the code and other evidence.
The majority of what Group IB disclosed was revealed earlier by other sources, but Rustam Mirkasymov, a threat intel expert at the firm, has more closely tied BadRabbit’s authors to those who perpetrated the Petya/NotPetya attacks last June. He cited similarities in the code and how the attackers laid the groundwork for BadRabbit with other hacks.
“It is highly likely that the same group of hackers was behind [the] BadRabbit ransomware attack on October the 25th, 2017 and the epidemic of the NotPetya virus, which attacked the energy, telecommunications and financial sectors in Ukraine in June 2017,” Mirkasymov said in his report.
Group IB was the first research firm to identify that BadRabbit had hit the wild on October 24.
Mirkasymov said the code similarities are close enough to believe that BadRabbit and NotPetya were created by the same person or the author at least had access to NotPetya source
“Based on disassembling and researching the code of BadRabbit we assume that BadRabbit was compiled from NotPetya source code as another project with several additions,” he said. “Also, in both attacks modules are packed with zlib 1.2.8 in resources, with one difference in BadRabbit, which additionally xored them with constant 0xE9.”
Moreover the way the attackers prepped the battlefield, so to speak, by hacking into several Russian media websites, turning them into watering holes, is similar to how the NotPetya attacks transpired. This time around, the fake Flash Player update was installed, which when clicked downloaded the ransomware.
“In a similar manner, if we look back to [the] NotPetya attack, the system administrator of the Ukrainian developer of document management system M.E.Doc was hacked. Through it, attackers gained access to the update server and installed their firmware to infect users with NotPetya virus,” Mirkasymov said.
These maneuvers may have given away part of the game and been behind the warnings issued on October 12 by Ukraine’s SBU security servic,e stating an attack was imminent.
As for why the attack seemingly fizzled out after just a few days, Endgame researcher Amanda Rousseau believes it was the malware’s reliance on humans to download the fake Flash Player update. While BadRabbit could move laterally through a company once it was ensconced in a system, it could not spread beyond without help.