BadRabbit

Two days after the Bad Rabbit ransomware outbreak has wreaked havoc in Russia and Ukraine, security researchers are still unearthing details regarding the malware's modus operandi.

While initially it was believed that the ransomware spread from the initial victim to nearby computers using a custom scanning mechanism that relied on the SMB protocol, new research published today by Cisco Talos and F-Secure reveals the Bad Rabbit ransomware also used a modified version of an NSA exploit to bolster the spreading process.

Third time's a charm

This marks the third time this year when a global ransomware epidemic has used cyber-weapons developed by the NSA and leaked online by a group of hackers going by the name of The Shadow Brokers.

WannaCry was the first ransomware wave that used an NSA cyber-weapon, deploying the ETERNALBLUE exploit to move laterally inside infected networks back in May this year.

A month later, the NotPetya ransomware outbreak deployed the ETERNALBLUE and ETERNALROMANCE exploits for the same purpose.

Experts find ETERNALROMANCE code inside Bad Rabbit

When Bad Rabbit hit this week, researchers expected to see the same thing, but to their surprise, initial analysis did not find any NSA tools at all.

First reports said the ransomware used Mimikatz to dump passwords from an infected computer's memory, which it used together with a list of hard-coded credentials to access SMB shares on the same network.

In an update to its Bad Rabbit report, Cisco Talos said today that after researchers continued to dig at the ransomware's code, they found evidence of ETERNALROMANCE, an NSA exploit that also spreads via SMB.

Exploit was not initially spotted because it was modified

This was not a pure implementation, and some modifications were made to the exploit's code, hence the reason most researchers and automated scanning systems didn't detect it from the get-go.

"It is very similar to the publicly available Python implementation of the EternalRomance exploit that is also exploited by [NotPetya]," Cisco Talos researchers said. "However, the BadRabbit [EternalRomance] exploit implementation is different than the one in [NotPetya], although it is still largely based on the EternalRomance exploit published in the ShadowBrokers leak."

Cisco's findings were also confirmed by F-Secure. Furthermore, Cisco provided more details that strengthen multiple reports saying that Bad Rabbit and NotPetya were created by the same authors.

"We assess with high confidence that BadRabbit is built on the same core codebase as [NotPetya]," the Cisco team said today, "and that the build tool chain for BadRabbit is highly similar to the build tool chain for [NotPetya]."

Earlier this year, ESET linked the NotPetya authors to TeleBots, a cyber-espionage group with ties to the Russian government.