"Malicious profilers allow attackers to obtain more information about potential victims before deploying payloads (in this case, the Bad Rabbit 'flash update' dropper)," FireEye researchers wrote. "The distribution of sites compromised with Backswing suggest (sic) a motivation other than financial gain. FireEye observed this framework on compromised Turkish sites and Montenegrin sites over the past year. We observed a spike of Backswing instances on Ukrainian sites, with a significant increase in May 2017. While some sites hosting Backswing do not have a clear strategic link, the pattern of deployment raises the possibility of a strategic sponsor with specific regional interests."
Researchers added that using Backswing to gather information on targets and the growing number of malicious websites containing the framework could point to "a considerable footprint the actors could leverage in future attacks."
Bad Rabbit ransomware recovery
Meanwhile, researchers from Kaspersky Lab discovered flaws in the Bad Rabbit ransomware that could give victims a chance to recover encrypted data without paying the ransom.
The Kaspersky team wrote in a blog post that early reports saying that the Bad Rabbit ransomware leaked the encryption key were false, but the team did find a flaw in the code where the malware doesn't wipe the generated password from memory, leaving a slim chance to extract it before the process terminates.
However, the team also detailed an easier way to potentially recover files.
"We have discovered that Bad Rabbit does not delete shadow copies after encrypting the victim's files," Kaspersky researchers wrote. "It means that if the shadow copies had been enabled prior to infection and if the full disk encryption did not occur for some reason, then the victim can restore the original versions of the encrypted files by the means of the standard Windows mechanism or 3rd-party utilities."
Learn how backup technologies keep improving
Get info on troubleshooting the Windows Recovery Environment