Special Feature
Part of a ZDNet Special Feature: Security TV - Video Series

Bad Rabbit ransomware spread using leaked NSA EternalRomance exploit, researchers confirm

An SMB vulnerability helped propagate BadRabbit, but not the one first suspected -- security researchers have tentatively linked it to the mystery group behind NotPetya.

What we know about the Bad Rabbit ransomware outbreak

Bad Rabbit ransomware spread using the help of a leaked NSA exploit exposed by the Shadow Brokers hacking group, security researchers have confirmed.

When the ransomware first infected organisations in Russia and Ukraine on Tuesday, it was initially suggested that it was using EternalBlue -- the leaked exploit which helped the spread of WannaCry -- but this was quickly found to be not the case.

However, researchers at Cisco Talos have now identified that Bad Rabbit did indeed use an SMB vulnerability to propagate through networks -- known as EternalRomance. Researchers at other security firms including Symantec and Kaspersky Lab have also confirmed the use of EternalRomance.

The vulnerability was also used to distribute NotPetya in June, although researchers note that while this version of EternalRomance is very similar to the publicly available Python implementation, there are slight differences.

For Bad Rabbit, the EternalBlue implementation is used to overwrite a kernel's session security context. That allows it to launch remote services and try to find other nearby systems listening for SMB connections and then spread the ransomware. Meanwhile, EternalRomance was used by NotPetya to install the DoublePulsar backdoor.

In both instances, the actions are possible due to how EternalRomance allows the attacker to read and write arbitrary data into the kernel memory space to spread ransomware.

As a result of similarities in the code and use of the SMB exploit, Cisco Talos researchers have "high confidence" that there's a link between NotPetya and Bad Rabbit and even suggest that the authors of the two ransomware variants could be the same.


Bad Rabbit ransomware was named after the Tor payment page demanding bitcoin.

Image: iStock

"The evasion techniques present in the modifications to the DoublePulsar backdoor in Nyetya and EternalRomance in Bad Rabbit demonstrate similar, advanced levels of understanding of the exploits involved, the network detections in place at the time of deployment, and general Windows kernel exploitation," said Nick Biasini, threat researcher at Talos Outreach

See also: Bad Rabbit: Ten things you need to know about the latest ransomware outbreak

Along with EternalBlue, the EternalRomance vulnerability was patched by Microsoft back in March -- suggesting that those infected by this ransomware outbreak were still yet to apply the critical update, despite the impact of previous high-profile incidents.

Named Bad Rabbit after the Tor payment page for collecting ransoms, the ransomware hit targets including Russian media outlets, the Kiev metro system, and the Odessa International Airport in Ukraine.

A number of organisations in Germany, South Korea, and Poland were also reported to have fallen victim, but the total number of infections was far lower than was seen with WannaCry and Petya, with under 200 organisations affected.

It's not clear how many of those affected paid, but victims are directed to a Tor payment page which demands a payment of 0.05 bitcoin (around $285) for decrypting the files. They're threatened with the price rising if they don't pay within just under 48 hours, although a number of security vendors have now said the infrastructure used to collect payments is now down.

Bad Rabbit spreads via drive-by downloads on hacked websites. Rather than being delivered by exploits, visitors to compromised sites -- many of which had been under the control of hackers for months -- were told to install a Flash update.

This malicious download subsequently installed the ransomware to what appeared to be specially selected targets, although it's unknown what the reasoning behind choosing the victims was.

What is obvious is how using exploits like EternalRomance is becoming an increasingly common method of spreading ransomware.

"This is quickly becoming the new normal for the threat landscape. Threats spreading quickly, for a short window, to inflict maximum damage," said Biasini.

Related coverage

Bad Rabbit: Ten things you need to know about the latest ransomware outbreak

It's the third major outbreak of the year - here's what we know so far.

Bad Rabbit ransomware: A new variant of Petya is spreading, warn researchers

Updated: Organisations in Russia, Ukraine and other countries have fallen victim to what is thought to be a new variant of ransomware.