On October 24th, media outlets reported on an outbreak of ransomware affecting various organizations in Eastern Europe, mainly in Russia and Ukraine. Identified as “Bad Rabbit”, initial reports about the ransomware drew comparisons with the WannaCry and NotPetya (EternalPetya) attacks from earlier this year. Though F-Secure hasn’t yet received any reports of infections from our own customers, we’re actively investigating. And while the investigation is still ongoing, initial results from our analysis did find similarities between Bad Rabbit and the NotPetya ransomware that hit companies late last June.
We think there’s good evidence that suggests the same person or group is responsible for both last June’s NotPetya attacks and what we’re seeing now with Bad Rabbit. Malware authors often learn from what works, so finding the same characteristics in different families is not uncommon. But the similarities we’re seeing here are too much to be just one attacker copying another.
Without getting too technical, here’s a handful of the similarities between NotPetya and Bad Rabbit:
There are also some notable differences between the two, including:
Like NotPetya, Bad Rabbit will display the two ransom note – one for MBR encryption.
And a text note for file encryption.
Oops! Your files have been encrypted. If you see this text, your files are no longer accessible. You might have been looking for a way to recover your files. Don't waste your time. No one will be able to recover them without our decryption service. We guarantee that you can recover all your files safely. All you need to do is submit the payment and get the decryption password. Visit our web service at caforssztxqzf2nm.onion Your personal installation key#2: [REDACTED]
Users are directed to pay the ransom at a specified payment site, which also provides the amount of the ransom to be paid.
A threat description of the Bad Rabbit ransomware is available at Trojan:W32/Rabbad and will be updated as and when more details are confirmed.
In the meantime… our endpoint protection products have a variety of measures baked in that prevent Bad Rabbit infections.
Edited to update: Struckthrough EternalRomance mention above. We have verified the same observations as Cisco Talos Security about EternalRomance exploited by Bad Rabbit.