Bad Rabbit Ransomware leverages the NSA Exploit for lateral movements

Malware researchers at Cisco Talos team discovered the Bad Rabbit Ransomware leverages EternalRomance to propagate in the network.

New precious details emerge from the analysis of malware researchers at Cisco Talos and F-Secure who respectively discovered and confirmed the presence an NSA exploit in the Bad Rabbit ransomware.

On October 24, hundreds of organizations worldwide were hit by the Bad Rabbit ransomware, mostly in Russia and Ukraine.

The first reports on the ransomware revealed that the malicious code also relies on the Server Message Block (SMB) protocol to spread within the targeted network. Many experts excluded the use of the SMB exploits EternalBlue and EternalRomance for the lateral movements.

Previous reports confirmed that the Bad Rabbit ransomware does not use NSA-linked EternalBlue exploit, but researchers at Cisco Talos discovered the malicious code leverages EternalRomance to propagate in the network.

“Despite initial reports, we currently have no evidence that the EternalBlue exploit is being leveraged. However, we identified the usage of the EternalRomance exploit to propagate in the network. This exploit takes advantage of a vulnerability described in the Microsoft MS17-010 security bulletin. The vulnerability was also exploited during the Nyetya campaign.” reads the analysis published by the Talos team.

The EternalRomance vulnerability was patched by Microsoft in March 2017 with the release of the MS17-010 security bulletin that also fixed the EternalChampion, EternalBlue and EternalSynergy exploits.

Both exploits were disclosed by the Shadow Brokers hacker group earlier this year when the crew leaked a portion of the arsenal of the NSA-Linked Equation Group, a database containing hacking tools and exploits.

Almost every analysis produced since the discovery of the Bad Rabbit ransomware revealed many similarities between Bad Rabbit and NotPetya, including the targeting of Ukraine and Russia, the usage of Mimikatz tool, and the same type of file encryption.

However, while NotPetya is a wiper disguised by a ransomware, Bad Rabbit appears to be a real ransomware.

Another interesting aspect emerged by further analysis is related to the alleged planning of the attack that seems to be dated back months ago. Some of the compromised domains used in the Bad Rabbit ransomware attack had been set up since at least July 2017 and some of the injection servers were first seen more than a year ago.

According to malware researchers, NotPetya has been linked to BlackEnergy APT, for this reason, some experts suggest the same threat actor could be behind the Bad Rabbit ransomware.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Bad Rabbit ransomware, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.