Those responsible for two of the largest ransomware attacks of 2017 designed their malware to carefully handle computers with Russian anti-virus products installed, security researchers have told CyberScoop.
For the third time in less than six months, a ransomware-style cyberattack spread across Eastern Europe in a matter of hours. The attack, dubbed “BadRabbit,” infected computers inside Ukrainian and Russian government agencies, Ukrainian transportations facilities and Russian news outlets among other targets; causing a disruption in normal business operations that continues for some until today.
Although most of BadRabbit’s impact occurred in Russia, there’s evidence that the malware compromised organizations in several countries other than Ukraine, including Japan and Turkey. The virus, when successfully installed, will encrypt files and then request a payment in the form of Bitcoin from victims in order to unlock their systems.
Experts say there’s likely more to the story than a simple ransom collection.
An investigation into BadRabbit from both law enforcement and the private research community is ongoing. It remains unclear how the ransomware arrived on every infected device or what motivated the hackers behind this attack. Researchers say the hackers responsible for BadRabbit are connected to a known hacking group named “Telebots,” which some analysts believe is associated with the Russian government.
Preliminary findings uncovered by cybersecurity firms Kaspersky Lab, FireEye, ESET, IB Group and Cisco Talos note that a substantial number of Russian, Romanian and Ukrainian websites were compromised to covertly dispense BadRabbit to unknowing web visitors. But other, less obvious infection vectors likely exist, according to Robert Lipovsky, a senior malware researcher with ESET.
Leading research into BadRabbit suggests its authors engineered the virus with controls in place to purposefully limit its spread to certain victims.
Case #1: BadRabbit – Dr. Web
For example, according to research published Thursday by FireEye, BadRabbit behaved different on computers running Dr. Web, a anti-virus software program made by a Moscow-based cybersecurity firm of the same name.
U.S. cybersecurity firm Cylance produced similar findings to FireEye.
BadRabbit avoided encrypting certain files stored on machines with Dr. Web installed, FireEye analyst Nick Carr told CyberScoop. If “one of four Dr.Web antivirus processes is present on the system, file encryption is not performed,” a blog post by FireEye reads.
“It would still try to mess with the MBR (master boot record), but it didn’t encrypt or corrupt the most important parts … What happened is you have a system that won’t load the OS (operating system), but the user files you care about could still be retrieved pretty easily by a specialist,” said FireEye Chief Security Architect Christopher Glyer.
In other words, while BadRabbit sabotaged the operating system boot loader on computers with Dr. Web installed, it offered a far easier situation to recover from.
It’s not immediately clear why the hackers responsible for BadRabbit seemingly intended to spare Dr. Web’s customers from some of the damage.
In an emailed statement to CyberScoop, a Dr. Web spokesperson confirmed FireEye’s findings. The spokesperson, Kirill Kozhevnikov, provided an explanation for why the hackers may have attempted to avoid Dr. Web: “they probably couldn’t find a way to beat our preventive anti-ransomware protection so they tried to skip that part and go for MBR (Master Boot Record) directly.”
The majority of Dr. Web’s current customers are based in Russia and former Soviet Republics, including Armenia, Belarus, Kazakhstan, Kyrgyzstan and Moldova.
In May, the Ukrainian government announced sanctions against a number of Russian technology firms for their alleged role in supporting the annexation of Crimea. Companies impacted by these sanctions included Dr. Web and fellow Moscow-based anti-virus developer Kaspersky Lab.
One day prior to the sanctions announcement, Ukrainian President Petro Poroshenko said the Kremlin had unsuccessfully attempted to influence Ukraine by “using cyber warfare.” He provided no supplementary evidence or additional details concerning this activity.
Dr. Web is certified by the Russian Ministry of Defense and Russian Federal Security Service (FSB). It was founded in 1992 by Igor Danilov, a famous Russian computer programmer originally known for his work in the aerospace defense sector. The company carries several state-sponsored business licenses, including what is described as a “FSB Russia license for activities involving access to state secrets” on Dr. Web’s website.
BadRabbit also scans for McAfee products when an infection occurs. But it appears to do so only before following a different path toward encryption. Carr described BadRabbit’s behavior with McAfee as an “evasion technique.” The presence of McAfee will not protect users from BadRabbit; the end result is the same as with any other victim.
Carr and Glyer said it’s highly unusual for ransomware-style viruses — like BadRabbit or NotPetya — which are typically engineered solely to generate profit for hackers, to avoid specific computers, products or companies.
Case #2: NotPetya-Kaspersky
A close inspection of BadRabbit reveals that it’s similar to a ransomware-style attack form earlier this year, according to separate research by ESET, Cisco, FireEye, Comae and Kaspersky Lab.
This other ransomware variant is known as “NotPetya,” “ExPetr” or “EternalPetya” by the cybersecurity industry. It primarily targeted and disrupted organizations based in Ukraine.
Limited, publicly available forensic evidence connects the Telebots hacking group to both NotPetya and BadRabbit.
BadRabbit is not only similar to NotPetya, it *is* NotPetya recompiled and including bugfixes. See below the lateral movement routine. pic.twitter.com/Pdq6P0TwD7
— Matthieu Suiche (@msuiche) October 26, 2017
NotPetya’s creators also intended for its spread to be somewhat targeted. It arrived in Ukraine during a period of heightened tension between Kiev and Moscow.
Akin to how BadRabbit reacted to Dr. Web, NotPetya behaved oddly when it encountered Kaspersky anti-virus (avp.exe). Instead of avoiding the Master Boot Record altogether, however, detection of Kaspersky caused a change in what processes NotPetya impacted on infected computers, said Glyer, namely by excluding the Master File Table (MFT) from encryption.
Whereas NotPetya would fully encrypt the Master File Table and Master Boot Record on most infected devices, it only locked the first 10 sectors of the Master Boot Record on computers running Kaspersky, according to U.S. cybersecurity firm CrowdStrike.
The two cases are comparable because they show two rare instances in which an observable modification changed the malware’s encryption behavior.
With that being said, Kaspersky’s presence alone did block NotPetya from targeting the company’s users. In the end, if an infection occurred then the end result would be almost identical: an unusable, locked device. Kaspersky said it was able to protect clients from the ransomware.
It’s not clear why NotPetya’s authors decided to handle Kaspersky in such fashion.
In a blog post written by Kaspersky researchers, the company explained why it believed NotPetya uniquely responded to its product: “this is done in order to prevent raising the suspicion score and getting terminated too early. It actually seems that [the hackers] put significant energy into trying to bypass our products and target our users, meaning they were pretty worried about being stopped.”
The blog post continues by stating, “With complex malware code and retro measures built to bypass antivirus products, it is complicated to understand all the functionality of today’s malware. It is easy to get tricked and believe certain code checks give a free pass to Kaspersky users. In reality, they were intended as a means of trying to pass under the … radar.”
Carr said that while BadRabbit’s computer code showed a more clear cut effort to sidestep Dr. Web users, a review of the NotPetya-Kaspersky activity suggested a desire to evade the cybersecurity software rather than avoid damage.
NotPetya first appeared in mass in April, when thousands of Ukrainian organizations were paralyzed for weeks because a booby-trapped piece of popular Ukrainian accounting software allowed for the virus to invade corporate systems. The compromised accounting software firm, MEDoc, had been breached and its servers were hijacked to propagate the ransomware.
In addition to scanning for Kaspersky’s software, NotPetya detected and reacted to Symantec and Norton programs.
If Norton (NS.exe) or Symantec (ccSvcHst.exe) was found, then NotPetya would attempt to use an alternative technique — the open-source tool Mimikatz rather than two embedded exploits known as EternalBlue and EternalRomance — to move laterally within a network and infect connected systems.
The presence of Symantec or Norton had no effect on the components encrypted by NotPetya; as was the case with Kaspersky, researchers told CyberScoop.