BadRabbit Ransomware Decided to Avoid One Antivirus Vendor

Share this…

Security researchers are noticing something curious about Tuesday’s BadRabbit ransomware outbreak. Apparently, the malicious code is built to avoid encrypting PCs running antivirus from a certain vendor.

Researchers at FireEye noticed the issue when reverse-engineering a BadRabbit malware sample. The ransomware will forgo encryption on a machine when it finds one of four antivirus processes from a Russian security firm called Dr.Web, it said.

Security firm Cylance found the same. BadRabbit will end attempts to spread over the victim’s network and harvest the PC’s passwords if Dr.Web antivirus is detected, it said.

Why the ransomware’s developer sought to avoid the Moscow-based company’s software might raise eyebrows. Russia often gets blamed for some of the world’s biggest cyber attacks.

But on Thursday, the Moscow-based Dr.Web published its own findings. It too discovered that BadRabbit skips the encryption process when the company’s antivirus is detected on the system.

BadRabbit checking for McAfee, Dr.Web antivirus.

However, this actually has to do with how the company’s antivirus software protects a PC’s master boot record — which BadRabbit will try to encrypt.

Instead, the ransomware will seek to avoid early detection, but will start a full disk encryption after a system reboot, Dr.Web said in its findings.

Tom Bonner, a senior threat manager at Cylance, said he arrived at a similar conclusion.

“I think it (BadRabbit) is trying to be as surreptitious as possible, and not raise too many flags,” he said.

To avoid raising those flags, Dr.Web isn’t the only antivirus software BadRabbit will try to scan for. It’ll also look for the presence of McAfee’s antivirus software, Bonner said.

If found, the ransomware will stop spreading over the victim’s network, but it’ll still try to encrypt the files onboard, he added.

Map of BadRabbit attacks.

Others like FireEye security researcher Nick Carr find BadRabbit’s avoidance of Dr.Web software suspicious. Nevertheless, Tuesday’s outbreak spread across computers largely in Russia, but also spilled into Ukraine, Turkey and even Japan, according to security firms.

BadRabbit attacked by spreading itself over a fake Adobe Flash Player update that was distributed by over a dozen hacked websites.

That Flash update sought to trick visitors into executing the installer, which would then maliciously encrypt all the files inside the PC. To free the system, a victim would have to pay about $282 in bitcoin.

Who was behind the attack still isn’t known. But security researchers suspectBadRabbit’s creator may have been the same culprit behind another ransomware outbreak in June called NotPetya. Both attacks shared some of the same unique computer code and tactics, which is rare to find.

Security firm FireEye is also uncovering evidence that whoever launched BadRabbit had been trying to profile its potential victims.

Hacked websites found delivering BadRabbit were installed with a malicious Javascript code. That code is designed to gather data from website visitors through their browser sessions, and relay it back to a separate server.

What data is being profiled about visitors isn’t clear, but it allows BadRabbit’s creator to distinguish between which visitors will be targeted with a malicious payload, FireEye’s Carr said.

That’s strange behavior for a ransomware attack when most are designed to infect as many targets as possible. But it might offer an important clue to what BadRabbit was actually trying to achieve.

“We have reason to suspect that this was not a truly financially-motivated attack,” Carr said.