BadRabbit Ransomware Decided to Avoid One Antivirus Vendor

Security researchers are noticing something curious most Tuesday's BadRabbit ransomware outbreak. Apparently, the malicious lawmaking is built to avoid encrypting PCs running antivirus from a sure vendor.

Researchers at FireEye noticed the issue when opposite-engineering a BadRabbit malware sample. The ransomware will forgo encryption on a machine when it finds one of four antivirus processes from a Russian security business firm called Dr.Web, it said.

Security business firm Cylance found the same. BadRabbit will cease attempts to spread over the victim's network and harvest the PC's passwords if Dr.Spider web antivirus is detected, information technology said.

Why the ransomware's developer sought to avoid the Moscow-based company's software might heighten eyebrows. Russia often gets blamed for some of the world'due south biggest cyber attacks.

Simply on Th, the Moscow-based Dr.Spider web published its ain findings. Information technology also discovered that BadRabbit skips the encryption process when the company'due south antivirus is detected on the system.

BadRabbit checking for McAfee, Dr.Web antivirus.

However, this actually has to do with how the company'south antivirus software protects a PC's main kick record -- which BadRabbit will endeavor to encrypt.

Instead, the ransomware will seek to avoid early detection, but volition start a total deejay encryption afterward a arrangement reboot, Dr.Web said in its findings.

Tom Bonner, a senior threat manager at Cylance, said he arrived at a similar conclusion.

"I think it (BadRabbit) is trying to be as surreptitious equally possible, and not raise too many flags," he said.

To avoid raising those flags, PhysicianWeb isn't the only antivirus software BadRabbit will try to browse for. It'll also look for the presence of McAfee's antivirus software, Bonner said.

If plant, the ransomware volition stop spreading over the victim's network, but it'll still try to encrypt the files onboard, he added.

Map of BadRabbit attacks.

Others similar FireEye security researcher Nick Carr find BadRabbit's avoidance of MedicoSpider web software suspicious. Withal, Tuesday's outbreak spread across computers largely in Russian federation, but also spilled into Ukraine, Turkey and even Nihon, co-ordinate to security firms.

BadRabbit attacked by spreading itself over a fake Adobe Flash Thespian update that was distributed by over a dozen hacked websites.

That Flash update sought to play a trick on visitors into executing the installer, which would then maliciously encrypt all the files inside the PC. To free the system, a victim would take to pay nearly $282 in bitcoin.

Who was backside the assault still isn't known. Just security researchers doubtable BadRabbit's creator may have been the aforementioned culprit behind another ransomware outbreak in June chosen NotPetya. Both attacks shared some of the same unique calculator lawmaking and tactics, which is rare to find.

Security firm FireEye is also uncovering evidence that whoever launched BadRabbit had been trying to profile its potential victims.

Hacked websites found delivering BadRabbit were installed with a malicious Javascript code. That lawmaking is designed to gather data from website visitors through their browser sessions, and relay it back to a separate server.

What data is being profiled about visitors isn't clear, but it allows BadRabbit'southward creator to distinguish betwixt which visitors volition be targeted with a malicious payload, FireEye's Carr said.

That's strange behavior for a ransomware assail when most are designed to infect as many targets every bit possible. But it might offering an important inkling to what BadRabbit was really trying to accomplish.

"We have reason to suspect that this was not a truly financially-motivated assail," Carr said.