The global epidemic of Wannacry ransomware infections caused tens of millions of dollars’ worth of economic harm. That epidemic, started by The Shadow Brokers, was created by melding a ransomware strain with a leaked NSA cyberweapon.
A new ransomware epidemic, dubbed “Bad Rabbit,” is now spreading at an alarming rate thanks to its use of “Eternalromance,” an open source Python version of the NSA’s Eternalsynergy tool, which was also dumped by the Shadow Brokers.
Eternalromance/Eternalsynergy exploit a bug in Microsoft’s SMB protocol. This bug was discovered/purchased by the NSA, who withheld the knowledge of its existence from Microsoft, deliberately ensuring that the bug would remain unpatched.
The NSA’s doctrine, called “NOBUS” (“No One But Us”) once again allows these parties to target a wide swath of computers worldwide because the NSA operated under the belief they would never lose control of its exploits.
Due to a number of similarities between Bad Rabbit and NotPetya—including the use of the commercial DiskCryptor code to encrypt the victim’s hard drive and the presence of “wiper” code that could erase drives attached to the targeted system—Kaspersky Lab researchers have said that there are “clear ties” between the two malware attacks, and other researchers have reached similar conclusions. But there are two major differences: the use of a different exploit and the apparent targets of the attack. This time, the targets have apparently been primarily in Russia.
“There is a lot of speculation that Russia is the main target, which may be true, but does not rule out Russia as the attacker,” said Dr. Andrea Little Limbago, chief social scientist at Endgame. “BadRabbit hit Russian media companies—and Putin has a history of cracking down on the media.” And the attack also affected critical infrastructure companies in Ukraine. “It is too early to rule out any potential attacker,” Limbago added, “and as always, motives and intent are extremely nuanced, and [we] must consider both domestic and international motivations.”