The Bad Rabbit ransomware attack which affected more than 200 targets in many countries across Europe, demanding ransom in the form of Bitcoin cryptocurrency, may have been carried out by the same hacker group that was behind the Petya ransomware attack aka NotPetya that took place at the end of June, 2017.
Several security companies like Cisco Talos, ESET, Kaspersky Lab, and Malwarebytes have reportedly found evidence that shows links connecting the Bad Rabbit ransomware outbreak with the NotPetya ransomware attack.
The cyber security companies have published reports drawing similarities between the source codes of Bad Rabbit and NotPetya.
"Bad Rabbit appears to have some similarities to NotPetya, in that it is also based on Petya ransomware," cybersecurity experts at Cisco Talos said in a report, adding "major portions of the code appear to have been rewritten."
Which group is behind the attacks?
The hacker group behind the infamous NotPetya ransomware attack had been identified by ESET as a cyber-espionage group called TeleBots APT. Prior to the NotPetya attack, the group was known for attacking Ukraine's power grid in December 2015 and December 2016.
The cyber-criminal group has been active since 2007 and has been tracked under different names such as Sandworm, BlackEngergy, Electrum, TEMP.Noble and Queldagh before being recently identified as TeleBots.
The group is suspected to be operating out of Russia under the control of Russian authorities, but Information Security (InfoSec) experts believe that TeleBots' main target country is Ukraine because Russian hackers shifted their focus on Ukrainian targets after Russia invaded Crimea, a former territory of Ukraine, which explains the findings that more than 60 percent of the NotPetya ransomware attack victims were Ukrainian users.
With the Bad Rabbit outbreak, however, things were a little different as almost 70 percent of the victims were located in Russia. However, most of the high-value targets were still based in Ukraine, with infections reported in airports, metro stations and government agencies.
TeleBots is a state-sponsored hacker group
Cybersecurity experts from RiskIQ and Kaspersky Lab suggest that hackers took months to hack into websites and drop the malicious scripts needed to push the fake Adobe Flash Player updates that helped propagate the malware initially, before the malware's lateral network module kicked-in.
(Note: The Bad Rabbit malware dropper pretends to be an Adobe Flash installer)
Reports also suggest that only a state-sponsored group like TeleBots could afford to waste three to four months in building the groundwork for a ransomware outbreak.
Bad Rabbit ransomware could have been used as a smokescreen for worse attacks
Some experts have been looking at the theory that the Bad Rabbit ransomware outbreak was actually a cover to mask other more sinister attacks, suggesting that while investigators were busy probing the cause and effect of the infection, TeleBots could be silently syphoning off data from sensitive targets.
Many even suggest that TeleBots may have used the ransomware as a means to destroy evidence of previous undetected attacks.