Could BadRabbit Ransomware Be Linked To Previously Warned Supply Chain Attack

News has broken on about a new widespread ransomware attack using a new variant called "BadRabbit." At this time it appears that organizations in Russia and Ukraine appear to be the most heavily impacted. Most notably, Russian media outlets and Ukrainian government and critical infrastructure entities are seeing disruptive effects.

Security researchers are already noting similarities between this wave of attacks and the NotPetya attacks that caused widespread disruption back in June 2017, but had a particularly significant effect on entities in Ukraine. While NotPetya initially appeared to be a widespread ransomware attack similar to WannaCry, it was later determined that the malware was a disk wiper with destructive intent rather than a typical financially-motivated ransomware attack. Effects from NotPetya were centered around Ukraine because the initial delivery mechanism was a supply chain attack where malicious actors compromised the update server for software call "M.E.Doc," a widely deployed accounting software used by many organizations in Ukraine as well as businesses with operations there (which explains why effects were felt outside Ukraine).

Up to this point, the only reported delivery vector for BadRabbit is a "watering hole" campaign where popular websites have been compromised to host malicious code that can ultimately result in BadRabbit infection. Most of the compromised watering hole websites reported so far appear to be focused in and around Russia and Ukraine suggesting the actors behind this are interested in targets in these countries. One of the difficulties with watering hole operations is that they can net lots of uninteresting targets that happen to visit the compromised sites. However, a blog by the security company ESET (linked in the first sentence of this paragraph) indicates that the BadRabbit actors have implemented logic that will only deliver the malicious payload to certain victims. The precise logic is appears to be unknown, or at least unreported, so further insight into actor motivations is not currently known.

The Cyber Intelligence and Policy Project (CIPP) believes that another delivery method should receive some attention here - supply chain attack. The only confirmed BadRabbit deliver vector is the watering hole activity. However, on October 12, 2017, Ukraine's Security Service released a warning that a supply chain-facilitated attack was possibly imminent.

The link in the supply chain believed to be used was a company called LIGA:ZAKON which provides legal support services to companies in Ukraine. This attack never appeared to materialize.

Since the previously warned of attack apparently did not occur at the time, an interesting question is posed - Is the current BadRabbit operation just a delay of the attack of which Ukraine's Security Service previously warned? It is possible that the warnings produced significant enough attention that the actors decided an attack at that time might not be as effective as they wished. There are multiple potential scenarios, but CIPP would like to highlight a couple:

  • Scenario 1 - The attention brought to the previous potential supply chain-facilitated attack resulted in increased security posture across Ukraine that may have resulted in the malicious actors perceiving an attack at that time would not be sufficiently effective. In this case, maybe the malware delivered via the supply chain attack remained on victim machines and the actors were able to simply delay the timing of the attack until now. The watering hole element observed with the current BadRabbit operation was an addition to the operation done in order to increase the potential impact (possibly to target organizations that were able to mitigate effects from the initial supply chain attack), as well as to act as a smoke screen to cover up the continued effects of the supply chain attack for targets did not mitigate its effects.
  • Scenario 2 - The warnings about the earlier supply chain attack resulted in affected organizations cleaning up their network rendering that attack completely ineffective. The current BadRabbit campaign represents a fallback option by the actors who lost their supply chain access to targets, but seized an opportunity to use watering hole tactics to carry out the attack anyway.

It is important to note that there is no definitive connection between BadRabbit and the supply chain attack that Ukraine warned of earlier in October. However, given the similarities between NotPetya and BadRabbit it is important to consider the possibility.