Bad Rabbit

Several security firms have come forward today with evidence that shows links connecting the Bad Rabbit ransomware outbreak that happened yesterday with the NotPetya ransomware outbreak that took place at the end of June, this year.

Most of the reports focused on the vast similarities between the Bad Rabbit and NotPetya source code.

Companies like Bitdefender, Cisco Talos, ESET, Group IB, Intezer Labs, Kaspersky Lab, and Malwarebytes, along with security researcher Bart Parys, have published reports on the connections between these two strains.

"[Bad Rabbit] appears to have some similarities to [NotPetya] in that it is also based on Petya ransomware," Cisco experts explain in their report. "Major portions of the code appear to have been rewritten," researchers add, reflecting similar conclusions in other reports.

Bad Rabbit is most likely the work of the TeleBots APT

Previously, in June, ESET tied the NotPetya ransomware campaign to a cyber-espionage group named TeleBots, previously known for attacking Ukraine's power grid in December 2015 and December 2016.

The group behind has been active since 2007 and is tracked under different names, such as Sandworm, BlackEnergy, and most recently as TeleBots, while other lesser known names include Electrum, TEMP.Noble, and Quedagh.

TeleBots is known to infosec specialists to target Ukraine, and many suspect the group operates out of Russia and is under the control of Russian authorities because hackers refocused operations to Ukrainian targets right after Russia invaded the Crimean Peninsula, a former Ukrainian territory.

TeleBots' obsession with Ukraine came forward in June, when the NotPetya ransomware infected mostly Ukrainian users, between 60% and 70% of all infections.

Things were very different for the Bad Rabbit outbreak, as most victims were located in Russia (~70%), but while Russia suffered more infections, most of the high-value targets were in Ukraine, with infections reported in airports, metro systems, and government agencies.

Group built its infrastructure for months

Besides reports that focused on Bad Rabbit's source code, there were also reports that focused on the infrastructure behind the attacks.

According to experts from RiskIQ and Kaspersky Lab, hackers took months to hack into websites and host the malicious scripts needed to push out fake Flash Player updates that helped spread the ransomware initially, before Bad Rabbit's lateral network movement module kicked in.

Only a state-nation-backed group like TeleBots could afford to waste three to four months in building infrastructure for a ransomware outbreak.

Moreover, according to RiskIQ, some websites were compromised as far back as 2016, suggesting they were part of a different operation altogether.

Researchers looking at Bad Rabbit as a ruse

This is why some experts are now looking at the theory that the ransomware outbreak was actually a cover to mask other more sinister attacks.

Experts argue that while investigators were focused on getting to the bottom of the ransomware infection, TeleBots could be quietly siphoning off data from sensitive targets. In addition, TeleBots could have also deployed the ransomware as a way to destroy evidence of previous undetected intrusions.

Deploying ransomware as a cover was a novel concept last year, but one that has become a reality in the meantime.