Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



‘Bad Rabbit’ Attack Infrastructure Set Up Months Ago

The infrastructure used by the Bad Rabbit ransomware was set up months ago and an increasing amount of evidence links the malware to the NotPetya attack launched in late June, which some experts believe was the work of a Russian threat actor.

The infrastructure used by the Bad Rabbit ransomware was set up months ago and an increasing amount of evidence links the malware to the NotPetya attack launched in late June, which some experts believe was the work of a Russian threat actor.

A majority of the Bad Rabbit victims are in Russia – over 80% according to some reports – where the ransomware hit several media outlets, including Interfax. Significant infections have also been observed in Ukraine, where the malware reportedly hit major organizations such as the airport in Odessa, the Kiev subway, the State Aviation Service of Ukraine, and the Transport Ministry of Ukraine.

Infections have also been spotted in Bulgaria, Turkey, Germany, Japan, the United States, South Korea and Poland.

Unlike the NotPetya attack, which hit tens of thousands of systems in more than 65 countries, Bad Rabbit, delivered by attackers via fake Flash Player installers, only infected a few hundred machines mainly belonging to enterprises. The attack began on October 24 at around 10 AM UTC and the majority of infection attempts were detected in the first couple of hours.

Analysis conducted by researchers and security firms showed many connections between Bad Rabbit and NotPetya, including the use of legitimate features such as SMB to spread within the compromised network. However, Bad Rabbit does not use EternalBlue or any other exploit. [UPDATE. Bad Rabbit does in fact use the EternalRomance exploit to spread]

The security researcher known online as Bart Blaze has published a useful table summarizing the similarities and differences between NotPetya and Bad Rabbit. The similarities include targeting of Ukraine and Russia, binaries signed with expired certificates, use of Mimikatz for credential-grabbing, reboots and persistence via scheduled tasks, removal of event logs and USN change journals, and the same type of file encryption and ransomware functionality.

One of the most significant differences is the fact that Bad Rabbit appears to be an actual ransomware and, at least in theory, users can recover their encrypted files if they pay the ransom; unlike NotPetya, which has been classified as a wiper due to the fact that the ransom payment functionality is not implemented properly, making the recovery of files impossible.

Advertisement. Scroll to continue reading.

Bad Rabbit infrastructure

Kaspersky Lab researcher Costin Raiu pointed out that several of the compromised domains used in the Bad Rabbit attack had been set up for malicious activity since at least July.

An analysis by RiskIQ shows that some of the injection servers involved in the attack were set up more than a year ago.

“While this list is most likely incomplete, it does show that it’s part of a long-running campaign. The operators of this campaign have been able to use this position to target unique visitors based on IP space they associate with their targets,” explained RiskIQ’s Yonathan Klijnsma.

“The thing we do not understand at this point is why they decided to burn this information position to mass distribute the BadRabbit ransomware rather than save it for another type of malware. The goal of the attack using ExPetya back in June was simple: cause as much disruption in the Ukraine and those associated with Ukraine as possible which also seems the case in the BadRabbit attack,” Klijnsma added.

Russian security firm Group-IB noted that the domain serving the fake Flash Player installer, 1dnscontrol[dot]com, was hosted by Inferno, which is run by the same people as 3NT Solutions and V3Servers. The activities of this hosting company were detailed back in 2014 by British researcher Conrad Longmore, who has now provided an updated list of IP addresses that he believes should be blocked by organizations.

“The domain name was registered on 22 March 2016 and is currently prolonged. There are a number of malicious domains associated with this site, which relate back to 2011. It is possible that these domains have also been compromised or are used for analogous attacks,” Group-IB said.

Links to BlackEnergy

NotPetya, which is also tracked as Diskcoder, Petya, Petrwrap, exPetr and GoldenEye, was linked back in early July to a threat group known as TeleBots, BlackEnergy and Sandworm Team, which experts have tied to Russia and which is believed to be behind cyberattacks on Ukraine’s power grid.

NotPetya was linked to BlackEnergy based on similarities to a wiper used by the threat actor, Yara rules detecting both BlackEnergy and NotPetya malware, and previous ransomware attacks that hit Ukraine.

Several security firms and researchers pointed out that if the NotPetya attack was conducted by BlackEnergy, and Bad Rabbit was created by the same developers that made NotPetya, the obvious conclusion would be that Bad Rabbit is also the work of the Russia-linked hackers.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...