I think by now everyone out there is aware of the malware outbreak commonly referred to as “#BadRabbit” – in case you aren’t I’d like to congratulate to your quiet evening last night, and ask you to read this (or this, for a more detailed technical approach) write-up.
Shortly after the first reports showed up on the Internet I saw attempts (some of them where really cool) at attributing this attack to a certain threat actor, with varying degrees of success or credibility / plausibility, as well as tries to link #BadRabbit to ongoing APT-campaigns (It utilizes the same functions to handle process hashes as NotPetya, thus it has to be linked to BlackEnergy .. what the fuck, Group IB?).
In the end, the most common version that repeatedly came up in my filter bubble was that the perpetrator behind #BadRabbit was a nation state actor, or someone affiliated to / working for / together with a nation state actor, with the intended goal of taking revenge for the NotPetya-incident back in June, which was attributed to Russia afterwards.
At the first glance, this doesn’t sound too implausible. There were some striking similarities to NotPetya (again, at first glance), and a lot of the big targets – news organisations, mainly – were based in Russia .. and in Ukraine, Turkey, Poland, Bulgaria, Japan, Germany and probably some other countries too.
The compromised websites (ab)used for spreading the fake Flash-update weren’t limited to ones with a mostly Russian-speaking audience either. Again, there was everything from Turkish social media aggregating services to a German support service for accomodation bookings. This isn’t exactly what I would call targeted at Russia.
I’ve also read voices that thought that the nearly 300$ demanded by the ransomware is far too little to be anything more than a decoy for a wiper, just as we saw with NotPetya, thus further feeding into the revenge-theory.
The first thing that speaks against this statement is that Kaspersky has proven that decryption is possible. There’s no mention of how they achieved that, they haven’t said anything about a flaw in the encryption process; one of the BTC-addresses linked to the ransomware has received a transaction that was roughly the equivalent of the ransom this morning, so maybe they even paid for the key.
Still, admittedly, ~300$ really isn’t much compared to the average ransom demanded throughout 2017:
(Image via Symantec 2017 Internet Security Threat Report)
Besides the fact that lower demands could potentially mean more ‘customers’ would be willing to pay in general, thus netting a bigger profit, you have to keep in mind that the majority of victims stem from countries in Eastern Europe, where the average salary is a lot smaller than in Western Europe. Maybe the criminals simply learned from the mistakes of their fellow blackmailers, who suffered a major failure of their ransomware-campaign in Taiwan earlier this year, because they overestimated the average income in the area.
So the arguments that #BadRabbit can’t be criminals with financial motivations face legitimate counterpoints on an operational level already. How does it look like on a more ‘technical’ level (I won’t start comparing code snippets, that’s not my domain. I’ll just leave this link, showing that the amount of code the original Petya and #BadRabbit share is exactly 13,3%.)?
Since I’m currently recovering from a cold, I only took a quick look at the first thing that jumped at me, the network-details around the initial infection. I’m hoping someone else with more skills, time and energy will do a more thorough analysis of the whole case.
The nameserver for the domain that hosted the faked Flash-update, 1dnscontrol[.]com, seems to be part of a network of nameservers used for .. let’s call them ‘interesting domains’. The whole subnet it’s situated in is on a couple of dozen blacklists.
The IP-address the domain is pointed at, 5.61.37[.]209, belongs to a company named ‘3NT Solutions LLP’ which doesn’t seem to be your average hoster, but rather one with a reputation for a ‘dirty’ network. And indeed, if you look what other domains are pointed towards this IP-address, you’ll find tons of sites related to forged online pharmacies, phishing and spam.
All we see here is someone re-using existing infrastructure that’s related to malicious activities with financial motivations to spread ransomware that looks somewhat similar to other variants we’ve seen this year – with these obvious connections to domains, hosters and characteristics of cybercrime, it’s clear that this is just a criminal gang using somewhat new tricks to make a quick buck, right?
No, it isn’t. Ignoring the fact that my quick look at things doesn’t even warrant the term ‘analysis’, this could be coincidental, this could be a false flag, it could be a criminal gang, it could be a nation state actor with a political motivation, it could be a mixture of all of these things – we simply don’t know yet, there is no hard evidence and not even enough circumstantial evidence to credible point fingers at something or someone.
Attribution is one of the hardest things when it comes to security incidents, and while it doesn’t matter that much while the incident is ongoing, it’s one of the first things that we tend to focus on, rather than collecting hard facts on how to stop an attack and/or limit damage. I think we need to get our focus right (again).
Also I’m so not sorry for picking that rabbit as picture for this post. Bad rabbit? More like Bad-ass rabbit!