Bad Rabbit malware used leaked alleged NSA tool

The Bad Rabbit ransomware that tore through Russia and Eastern Europe this week used a leaked hacking tool allegedly built by the National Security Agency.

It is not, however, the same NSA tool made famous by earlier ransomware outbreaks NotPetya and WannaCry. 

Researchers at Cisco found that Bad Rabbit used a tool called “EternalRomance” that took advantage of a now-patched security flaw in Windows that was leaked this year by a group called the ShadowBrokers.

{mosads}The ShadowBrokers released several packages of these tools, all of which they said had been pilfered from the NSA.

Bad Rabbit, like NotPetya and WannaCry, encrypts files on a system and charges a ransom for the key to decrypt those files. Coding and strategic problems in NotPetya and WannaCry made it impossible for the attackers to provide these keys even if a ransom was paid. It is at least hypothetically possible that paying the ransom for Bad Rabbit could result in a key to unlock files. 

Bad Rabbit spread using a fake update for Adobe Flash, predominantly striking Russian victims. Once it was installed on one computer in a network, it used a variety of techniques to spread to other computers on the same network. 

It reportedly interrupted service in Ukranian mass transit, three Russian media agencies and Ukrainian government systems, as well as other targets. 

Due to coding similarities to NotPetya, initial reports assumed it used a different ShadowBrokers-leaked tool known as EternalBlue to propagate through networks. That turned out not to be true. 

EternalBlue and EternalRomance both operate on the same Windows filesharing system, SMB. Microsoft had patched the problem before the tools were leaked.