A unused or little used report on the BadRabbit ransomware campaign that sprang up earlier this week has revealed that BadRabbit is most likely derived from NotPetya, based on clues in the code and other evidence.
The majority of what Group IB disclosed was revealed earlier by other sources, but Rustam Mirkasymov, a threat intel expert at the firm, has more closely tied BadRabbit’s authors to those who perpetrated the Petya/NotPetya attacks final June. He cited similarities in the code and how the attackers laid the groundwork for BadRabbit with other hacks.
“It is highly likely that the similar group of hackers was behind [the] BadRabbit ransomware blast on October the 25th, 2017 and the epidemic of the NotPetya virus, which attacked the fuel, telecommunications and fiscal sectors in Ukraine in June 2017,” Mirkasymov said in his report.
Group IB was the original research firm to identify that BadRabbit had hit the wild on October 24.
Mirkasymov said the code similarities are End enough to believe that BadRabbit and NotPetya were created by the similar person or the author at least had accession to NotPetya source
“Based on disassembling and researching the code of BadRabbit we assume that BadRabbit was compiled from NotPetya source code as another project with several additions,” he said. “Also, in both attacks modules are packed with zlib 1.2.8 in resources, with one difference in BadRabbit, which additionally xored them with constant 0xE9.”
Moreover the way the attackers prepped the battlefield, so to speak, by hacking into several Russian media websites, turning them into watering holes, is similar to how the NotPetya attacks transpired. This time around, the sham Flash Player update was installed, which when clicked downloaded the ransomware.
“In a alike manner, if we look back to [the] NotPetya blast, the system administrator of the Ukrainian developer of document management system M.E.Doc was hacked. Through it, attackers gained entree to the update server and installed their firmware to infect users with NotPetya virus,” Mirkasymov said.
These maneuvers may have given away part of the game and been behind the warnings issued on October 12 by Ukraine’s SBU security servic,e stating an flack was imminent.
As for why the fervidness seemingly fizzled out after upright a few days, Endgame researcher Amanda Rousseau believes it was the malware’s reliance on humans to download the fraud Photoflash Player update. While BadRabbit could move laterally through a company once it was ensconced in a system, it could not spread beyond without help.
The post Group IB shows even tighter ties between BadRabbit and NotPetya appeared unusual on SC Media.