The same group of hackers called BlackEnergy is likely to be behind the BadRabbit ransomware attack and the epidemic of the NotPetya virus, the Russian-based Group-IB cybercrime prevention and investigation company said in a report on Thursday.
Group-IB earlier told TASS that the same hacker or the group of hackers who had compiled the previous notorious encrypting malware NotPetya could be behind the BadRabbit ransomware. During their analysis at that time, Group-IB experts found a specific code segment in the BadRabbit virus that coincided with a part of the NotPetya code.
“It is highly likely that the same group of hackers was behind BadRabbit ransomware attack on October 24, 2017 and the epidemic of the NotPetya virus, which attacked the energy, telecommunications and financial sectors in Ukraine in June 2017,” the company said in its report.
The research revealed that the BadRabbit code was compiled from NotPetya sources. BadRabbit has the same functions for computing hashes, network distribution logic and the logs removal process, the report says.
“The logic of module derivation and the modules themselves confirm this relationship,” Group-IP said.
According to the report, some BadRabbit malware modules were compiled in the summer of 2014. It was in that year that BlackEnergy started notable activity with disc tools. The hacker group used old tools from previous attacks in the BadRabbit malware, Group-IB said.
BadRabbit and Petya malware
The BadRabbit encrypting ransomware attacked Russian mass media outlets on October 24. As the Kaspersky Lab and Group-IB reported, the malware attacked the information systems of the news agency Interfax and the server of the Petersburg-based news portal Fontanka.ru.
According to Group-IB’s data, in the afternoon the cyberattacks started in Ukraine: the virus hit the computer networks of the Kiev subway, the Ukrainian Ministry of Infrastructure and the international airport of Odessa.
Group-IB Head Ilya Sachkov told TASS at the time that BadRabbit tried to attack Russian banks from the list of the country’s top 20 lenders but the attacks fell through.
Sergei Nikitin, a Group-IB deputy head, earlier told TASS the attack was already over, although sporadic cases of BadRabbit attacks were still possible.
Spokeswoman for the Microsoft office in Russia Kristina Davydova told TASS that the users of the Windows operational system’s embedded antivirus – Windows Defender Antivirus – were protected from the BadRabbit encrypting malware.
In June, the malware known as Petya attacked oil, telecoms and financial companies in Russia, Ukraine and some EU countries. It had the same principle of operation as the BadRabbit malware: the virus encrypted information and demanded a $300 ransom in Bitcoins.
Before that, computers around the world were attacked by the WannaCry virus in May. The malware blocked information on infected computers and demanded $600 in Bitcoins for releasing the data.