Reading time ~15min
All you need to know: Comparing WannaCry vs NotPetya vs Bad Rabbit
On 14 April 2017, Easter holiday, the mysterious ShadowBrokers group that over the past 7-8 months has leaked several gigabytes worth of the NSA’s weapons on software exploits published its most critical cyber weapon release on GitHub.
The latest release of the 0-days exploits targeted several Windows OS, including Windows XP, Windows Server 2012, Windows 8 and Windows 2008 R2. Microsoft addressed those vulnerabilities a few days later and were no longer 0-day exploits. As reported on Friday 14 April by Emptywheel, a ShadowBrokers release from early January gave NSA officials notice of some of the exploit names obtained by the mysterious person or group that was included on the Friday’s release. The extra time Microsoft needed to patch the bugs might have something to do with February’s unprecedented canceling of Patch Tuesday, or simply because Microsoft has paid off the Shadow Brokers secretly for the vulnerabilities.
Below are the vulnerabilities that were patched by Microsoft showing when they were released:
| Exploit Name | Patch |
| “EternalBlue” | Addressed by MS17-010 |
| “EmeraldThread” | Addressed by MS10-061 |
| “EternalChampion” | Addressed by CVE-2017-0146 & CVE-2017-0147 |
| “ErraticGopher” | Addressed prior to the release of Windows Vista |
| “EsikmoRoll” | Addressed by MS14-068 |
| “EternalRomance” | Addressed by MS17-010 |
| “EducatedScholar” | Addressed by MS09-050 |
| “EternalSynergy” | Addressed by MS17-010 |
| “EclipsedWing” | Addressed by MS08-067 |
Nevertheless, to some extent, we all expected that it was just a matter of time for a gigantic cyber attack to occur utilising a combination or some of those vulnerabilities. We were also anticipating the enormous effect that this would have towards organisations and governments that would have failed to apply the latest patches. We all know that often government arms, public services, and large organisations are running unpatched and legacy systems due to their environment complexity or budget.
Inevitably, a month later, May 2017, WannaCry ransomware leveraging the (patched) MS17-010 SMB (v1) bug spread like a wildfire around the world and affected UK the most where everyone started to panic. After analysis, the source code of the WannaCry attack was linked with the threat actor Lazarus Group. The WannaCry ransomware targeted the following Operating Systems:
- Windows XP: Doesn’t spread. If run manually, can encrypt files.
- Windows 7,8,2008: Can spread on unpatched systems, can encrypt files.
- Windows 10: Doesn’t spread. Even though Windows 10 does have the faulty SMB driver.
- Linux: Doesn’t spread. If run manually with Wine application, can encrypt files.
Soon after, June 2017, NotPetya strikes on several countries with the main target being Ukraine. Equally, NotPetya was leveraging the (very patched) MS17-010 SMBv1 bug. Though, it appeared that it was carefully crafted to restrict its infection chain to Ukraine but within hours it had affected several other large organisations globally. Some major paradigms of the affected organisations included the global law firm DLA Piper, advertising firm WPP, shipping behemoth Maersk and so forth. BlackEnergy group appeared to be behind the Petya (aka NotPetya, ExPetr, etc.) attack and several malware analysts linked the ransomware’s source code to the BlackEngery group.
One of the main reasons of the BlackEnergy attacks that have grabbed so much attention is because they were – and still are – used in the middle of a tense geopolitical situation and many have pointed their fingers to Russian groups. The initial BlackEnergy malware family campaign had indeed Russian origins but its leaked source code was sold on DarkNet. The new malware version introduced back in 2010 was a complete code re-write with a modular approach. The modular approach allowed cyber criminals to replace or add any module on malware architecture without actually affecting the rest of the code. Since then, the malicious code is used for a range of purposes and we all know very little about the threat actor behind the latest BlackEngery attacks. However, as malware families are used in common cyber crime attacks simultaneously with targeted related attacks, it is highly likely that there are several other groups involved holding in their possession the BlackEnergy malicious code.
Following the NotPetya recent ransomware attack, four months later in October 2017, Bad Rabbit ransomware was released. Once again as it had happened before with NotPetya ransomware, Bad Rabbit carried several similarities and spread through lateral traversal tools such as Mimikatz, WMIC, and SMB. The Bad Rabbit ransomware threat initially targeted Russia, Bulgaria, Turkey, Germany, and Japan; within a day, infections were on a global scale. The Bad Rabbit ransomware attack was also linked to BlackEnergy threat actor group.
Below we have created a comparison table with several key facts of WannaCry, NotPetya and Bad Rabbit ransomware attacks:
If you would like to use the table, please feel free to send us an email via the Contact section and we will happily share an editable version. If you would like to copy the table, then feel free to do so by giving us some credits.
Enjoy and happy hunting!
References
[1] The ShadowBrokers Vulnerability Equites Process: NSA has had at least 96 days to warn Microsoft about these files: https://goo.gl/dakVQm
[2] Microsoft’s silence over unprecedented patch delay doesn’t smell right: https://goo.gl/Ytr7KY
[3] GitHub -The Shadow Brokers “Lost In Translation” leak : https://goo.gl/CbJdMB