EternalRomance NSA Exploit a Key Player in Bad Rabbit Ransomware Mayhem

Two days back we reported about the havoc caused by Bad Rabbit ransomware throughout Europe but mainly in Ukraine and Russia. It has been two days, but security experts are still unable to identify how Bad Rabbit is compromising devices at such a massive scale.

Initially, it was believed that a customized scanning mechanism which exploited SMB protocol was responsible for the distribution of this ransomware. However, according to latest findings from F-Secure and Cisco Talos cybersecurity firms, a modified version of one of the tools used by the NSA (Nations Security Agency) of the United States is also playing a key role in the distribution of Bad Rabbit.

This isn’t the first time that a massively disastrous ransomware campaign has been launched using cyber-weapons developed by the NSA. Previously, the ETERNALBLUE exploit was used in the WannaCry ransomware campaign in May 2017, and the very next month ETERNALBLUE and ETERNALROMANCE exploits were used in the NotPetya ransomware campaign. It is worth noting that a hacker group The Shadow Brokers is responsible for making NSA’s exploits public.

As per latest revelations made by Cisco Talos and F-Secure, ETERNALROMANCE code is identified inside Bad Rabbit ransomware. This is contrary to initial reports, which suggested that instead of any NSA exploit, the Mimikatz exploit was used to infect a computer and dump its passwords from memory using hard-coded credentials. However, the continued investigation revealed that ETERNAL ROMANCE exploit is used in this campaign. This particular tool also used SMB protocol for its distribution, and since its modified version was used in the Bad Rabbit ransomware, therefore, security experts could not identify it immediately.

“It is very similar to the publicly available Python implementation of the EternalRomance exploit that is also exploited by [NotPetya. However, the BadRabbit [EternalRomance] exploit implementation is different than the one in [NotPetya], although it is still largely based on the EternalRomance exploit published in the ShadowBrokers leak,” noted Cisco Talos researchers.

These findings have been confirmed by F-Secure researchers as well while it is also identified that Bad Rabbit and NotPetya both were developed by the same authors because their core codebase and build toolchain are similar. Both also use the commercial DiskCryptor code for encrypting the hard drive while Wiper code removes the drives on the victim’s computer.

The BadRabbit campaign was identified by security researchers at Kaspersky Labs on October 24th. In a detailed blog post, Orkhan Mamedov, Fedor Sinitsyn, and Anton Ivanov wrote that Bad Rabbit is distributed through drive-by download attacks and utilizes fake Adobe Flash players installers to trap victims into installing malware.

“While the severity of this attack is still unknown as the attack is still spreading, the level of systems being targeted is cause for concern. Whenever critical infrastructure is hit, it is a stark reminder of why cybersecurity needs to be a top concern for both private and public institutions around the world.

In this case, a simple ‘fake Flash update’ is the culprit, reinforcing the need for all employees to be hyperaware of what sites they are visiting and what links they are clicking. While there is no way to prevent all mistakes, it is important for companies to ramp up cybersecurity training for all employees,” said Vishal Gupta, CEO of Seclore.

Waqas

Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.