As Día de los Muertos 2017 winds down there comes news of a ghastly emergence in the "Night of the Devil” attacks, which feature the “Bad Rabbit” ransomware.
Researchers at Cybereason have come to the conclusion that attackers have deployed “ONI,” a derivative of the recent ransomware of the month dubbed Bad Rabbit. Additional forensic studies purport that the ONI ransomware may have been deployed in an effort by attackers to conceal the true goals of the attack: industrial espionage.
The name ONI, can mean “devil” in Japanese and is the .oni file extension of encrypted files including the email address in the ransom note, which translates to "Night of the Devil." Attacks using ONI ransomware to pilfer data has been carried out against Japanese targets lasting from three to nine months. This means even with user defined backup practices in place the infected ransomware was likely backed up and awaiting a restore to come back and infect all over again — think Groundhog Day for ransomware.
While campaigns using ONI ransomware have been carried out against Japanese targets for months, latest data points uncovered a new variant, the bootkit ransomware dubbed “MBR-ONI.” This bootkit ransomware is based on a legitimate disk encryption utility, DiskCryptor, which just so happens to be the tool used in the recently discovered Bad Rabbit ransomware spree. The ONI-based attacks rely upon spear-phishing emails that distribute malicious Office documents to provide admin-level remote access. It is likely that the propagation of the attack exploits the leaked NSA SMB EternalBlue vulnerability.
An interesting development that ONI and MBR-ONI have been used in conjunction leads many to prognosticate that the ONI ransomware is uniquely used in this case as a wiper agent to cover the attackers' footprints of malicious data mining. It is a conceivable leap to assume that although ONI does provide a ransomware note its true purpose is to never allow access to encrypted data in an attempt to wipe evidence of the operation and destroy any traces of an attack. To combat instances of wiper attacks, one of your safeguards is to have secure off-site backups of data and diligently only backing up clean data — remember the old garbage in garbage out adage.
This watering hole ransomware attack injects a malicious script on compromised websites prompting visitors to download a fake Adobe Flash installer update. Once executed, BadRabbit starts to hop around files and encrypt them awaiting a Bitcoin ransom of .05 or roughly $276 USD. In addition to extortion, this strain of ransomware can very well be used to disable a company’s operations or in the case of ONI to provide cover.
ZDNet reports Crowdstrike researchers have found that NotPetya begat almost two-thirds of its code to Bad Rabbit. In sharing NotPetya's DLL (dynamic link library) code, this indicates the two ransomware variants are closely related and potentially even the work of a Ransomware-as-a-Service platform.
Bad Rabbit ransomware seems to share the use of the same DiskCryptor driver present in NotPetya as well as to encrypt (nearly) all files on the disk. Unlike WannaCry and NotPetya, it appears that Bad Rabbit does not rely on the EternalBlue exploit but relies on lateral movement through WMIC command execution, Mimikatz, and SMB Shares.
According to Avast Threat Labs, Bad Rabbit has targeted at least 15 countries including Russia, Ukraine, Poland, Romania, Turkey, Bulgaria, Poland, Germany, South Korea, and the U.S. As with most ransomware attacks the scope is vast yet reaps the most havoc with industry. Attacks of Bad Rabbit have crippled the likes of the Kiev Metro, Odessa airport, and prominent Russian media outlets while being thwarted at the doors of Russian financial intuitions, according to various sources from CNN, Fox News, El Reg
One theory for the limited outbreak seems to point to discriminate infected entities, suggesting that this been a targeted attack against corporate networks according to Kaspersky Lab researchers. One small moment of levity points to the theory that the Bad Rabbit creators are fans of HBO’s Game of Thrones, as the code contains references to the dragons, Viserion, Drogon, and Rhaegal.
The flippant answer to Bad Rabbit is to not use Flash, but really try to avoid downloading anything from untrusted servers. Without a comprehensive data protection plan in place, recovery from an infectious attack basically comes done to a pay and pray strategy. There are really only ever two remedies, detection or recovery. How can you recover if your protection software missed the intrusion, well try frequent (daily) backups of clean data? If hit with malware, spin up a manual backup and set shorter increments to push the change to your backup vaults, this will increase restore points. If your local backup storage and remote vaults can handle temporary infinite versioning or delete lock you should be entertaining that idea. You can always turn this off after the attack is mitigated and you confirm the backup copies are no longer needed.
Don’t forget to seek support as needed to insure that malware scanning of your data occurs before it is backed up or restored back into production.
Disclaimer: The views and opinions expressed in this article are those of the author and do not necessarily reflect the official policy or position of j2 Global, or KeepItSafe.
Download a free Planning Guide
“Storage Switzerland details DR Planning from Good to Great”