The infrastructure used last Tuesday to spread the BadRabbit ransomware has been active since 2016, says Dutch security researcher Yonathan Klijnsma from security company RiskIQ. During the attack the attackers used a large number of hacked websites.
These websites showed a popup to visitors that they needed to install an update for Adobe Flash Player. In fact, it was a Petya ransomware variant that encrypted files on the hard drive and overwritten the Master Boot Record from the hard drive. As a result, the operating system can no longer be started. Furthermore, BadRabbit tries to spread on SMB via a list of commonly used passwords and intercepting login credentials via SMB.
On the hacked websites, code was sent to an injection server that showed the malicious popup on the websites. One of these injection servers was first observed last September. In addition, various hacked websites have been compromised since last year. RiskIQ counted 63 hacked websites where the attackers had access. The security company claims, however, that it can go for more websites.
"The group behind the BadRabbit ransomware has been active for quite some time," said Klijnsma. The researcher speaks of a long-term campaign that could possibly be set up for something other than BadRabbit. "Although the BadRabbit ransomware is brand new, we can track the distribution industry by the beginning of 2016, which shows that victims had been compromised a lot before before the ransomware hit and the news cycle began. The campaign could originally be set up for something other than BadRabbit. " Security company Symantec claims that 86 percent of the infections occurred in Russia and it mainly concerns companies.