Jump to content

'Bad Rabbit' ransomware strikes Ukraine and Russia


Petrovic

Recommended Posts

Quote
 

1508859519072-Screen-Shot-2017-10-24-at-

A new wave of ransomware has hit several targets in Russia and Eastern Europe on Tuesday, according to media reports and several security companies.

The malware, dubbed Bad Rabbit, has hit three Russian media outlets, including the news agency Interfax, according to Russian security firm Group-IB. Once it infects a computer, Bad Rabbit displays a message in red letters on a black background, an aesthetic used in the massive NotPetya ransomware outbreak.

The ransom message asks victims to log into a Tor hidden service website to make the payment of 0.05 Bitcoin, valued at around $282 at the time of writing. The site also displays a countdown of a little bit over 40 hours before the price of decryption goes up.

 

1508859364432-Screen-Shot-2017-10-24-at-

A screenshot of the Bad Rabbit onion site. Image: Motherboard

At this point, it's unclear who's behind the attack, who all the victims are, how the malware is spreading, or where it originated. Interfax said on Twitter that due to a cyberattack its servers are down. The airport of Odessa, in Ukraine, was also hit by a damaging cyberattack on Tuesday, but it's unclear if it's been hit by Bad Rabbit.

The Ukrainian computer emergency agency CERT-UA posted an alert on Tuesday morning warning of a new wave of cyberattacks, without clearly mentioning Bad Rabbit.

 

A Group-IB spokesperson said that a "new mass cyberattack" Bad Rabbit has targeted Russian media companies Interfax and Fontanka, as well as targets in Ukraine such as the airport of Odessa, the Kiev subway, and the Ministry of Infrastructure of Ukraine.

Kaspersky Lab, a security firm based in Moscow, said that that "most" Bad Rabbit infections are in Russia. Some also in Ukraine, Turkey and Germany. The company called Bad Rabbit "a targeted attack against corporate networks."

"According to our data, most of the victims targeted by these attacks are located in Russia. We have also seen similar but fewer attacks in Ukraine, Turkey and Germany. This ransomware infects devices through a number of hacked Russian media websites," Kaspersky Lab's Vyacheslav Zakorzhevsky, the head of the anti-malware research team, said in a statement. "Based on our investigation, this has been a targeted attack against corporate networks, using methods similar to those used during the ExPetr[NotPetya] attack. However we cannot confirm it is related to [NotPetya]."

ESET, another security company based in the Czech Republic, confirmed that there's a live ransomware campaign. The company said in a blog post that at least in the case of the Kiev Metro, the malware is "a new variant of ransomware known also as Petya." NotPetya itself was also a variant of Petya. ESET said it has detected "hundreds" of infections.

A researcher from Proofpoint said that Bad Rabbit spread via a fake Adobe Flash Player installer. For now, very few antivirus companies detect Bad Rabbit as malicious, according to malware repository VirusTotal. Security researcher also uploaded a sample of the malware on Hybrid Analysis, a free alternative to VirusTotal.

 

A researcher from McAfee said that Bad Rabbit encrypts a wide variety of files, including .doc, .docx, .jpg and other common type of files. According to Kevin Beaumont, a security researcher who studies ransomware, Bad Rabbit contains references to Game of Thrones, specifically the names of Drogon and Rhaegal. Another researcher also confirmed this.

 

https://motherboard.vice.com/en_us/article/59yb4q/bad-rabbit-petya-ransomware-russia-ukraine

Link to comment
Share on other sites


  • Replies 4
  • Views 1k
  • Created
  • Last Reply
knowledge-Spammer

from kaspersky

The post is being updated as our experts find new details on the malware.

We’ve already seen two large-scale ransomware attacks this year — we’re talking about the infamous WannaCry and ExPetr (also known as Petya and NotPetya). It seems that a third attack is on the rise: The new malware is called Bad Rabbit — at least, that’s the name indicated by the darknet website linked in the ransom note.

badrabbit ransomware

What is known at the moment is that Bad Rabbit ransomware has infected several big Russian media outlets, with Interfax news agency and Fontanka.ru among the confirmed victims of the malware. Odessa International Airport has reported on a cyberattack on its information system, though whether it’s the same attack is not yet clear.

The criminals behind the Bad Rabbit attack are demanding 0.05 bitcoin as ransom — that’s roughly $280 at the current exchange rate.

badrabbit_1.gif

Details of the attack and its mechanism of spreading are still to be investigated, and whether it’s possible to get back files encrypted by Bad Rabbit (either by paying the ransom or by using some glitch in the ransomware code) isn’t yet known. Kaspersky Lab antivirus experts are investigating the attack, and we will be updating this post with their findings.

According to our data, most of the victims of these attacks are located in Russia. We have also seen similar but fewer attacks in Ukraine, Turkey, and Germany. This ransomware has infected devices through a number of hacked Russian media websites. Based on our investigation, this is a targeted attack against corporate networks, using methods similar to those used in the ExPetr attack. However, we cannot confirm it is related to ExPetr. We continue our investigation.

Kaspersky Lab’s products detect the attack with the following verdicts: UDS:DangerousObject.Multi.Generic (detected by Kaspersky Security Network), PDM:Trojan.Win32.Generic (detected by System Watcher) and Trojan-Ransom.Win32.Gen.ftl.

ransomware_EN-1.png

To avoid becoming a victim of Bad Rabbit:

Users of Kaspersky Lab products:

  • Make sure you have System Watcher and Kaspersky Security Network running. If not, it’s essential to turn these features on.

Other users:

  • Block the execution of files c:\windows\infpub.dat and c:\Windows\cscc.dat.
  • Disable WMI service (if it’s possible in your environment) to prevent the malware from spreading over your network.

Tips for everyone:

  • Back up your data.
  • Don’t pay the ransom.
Link to comment
Share on other sites


cfbe1c57915c4f06f471f7fe569d.jpg

 

A new strain of ransomware nicknamed "Bad Rabbit" has been found spreading in Russia, Ukraine and elsewhere.

The malware has affected systems at three Russian websites, an airport in Ukraine and an underground railway in the capital city, Kiev.

The cyber-police chief in Ukraine confirmed to the Reuters news agency that Bad Rabbit was the ransomware in question.

It bears similarities to the WannaCry and Petya outbreaks earlier this year.

However, it is not yet known how far this new malware will be able to spread.

"In some of the companies, the work has been completely paralysed - servers and workstations are encrypted," head of Russian cyber-security firm Group-IB, Ilya Sachkov, told the TASS news agency.

Two of the affected sites are Interfax and Fontanka.ru.

Meanwhile, US officials said they had "received multiple reports of Bad Rabbit ransomware infections in many countries around the world".

The US computer emergency readiness team said it "discourages individuals and organisations from paying the ransom, as this does not guarantee that access will be restored".

The malware is still undetected by the majority of anti-virus programs, according to analysis by virus checking site Virus Total.

One security firm, Eset, has said that the malware was distributed via a bogus Adobe Flash update.

( ... )

 

SOURCE

 

Link to comment
Share on other sites


Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...