A new ransomware attack dubbed “Bad Rabbit” is sweeping Russia and Ukraine, among other Eastern European countries, according to several reports.
It’s too early to tell how far reaching the event will be, or at this time who has been hit thus far, but a series of reports concerning attacks on Ukrainian transportation and infrastructure have alarms blaring.
Russian cybersecurity firm Group-IB reports that at least three Russian media outlets have been attacked, counting as well “state institutions and strategic objects in Ukraine as its victims.” The firm told Motherboard that an airport in Odessa, the Kiev subway, and the Ministry of Infrastructure of Ukraine had all been affected by a “new mass cyberattack.”
Russian news agency Interfax announced via Twitter that it was working to restore its systems after hackers took down its servers.
Once infected, victims are directed to a Tor-hidden website whereupon a ransom of 0.05 Bitcoin is demanded (about £210 at the time of writing). If the ransom is not paid within roughly 40 hours, the cost of decrypting the lost data is increased. The ransom message, a red font on a black background, appears to be similar to one used in the NotPetya attacks this June.
According to the Moscow-based Kaspersky Lab, Bad Rabbit infections have been detected in Turkey and Germany as well. “Based on our investigation, this is a targeted attack against corporate networks, using methods similar to those used in the [NotPetya] attack,” the firm reported. “However, we cannot confirm it is related to [NotPetya]. We continue our investigation.”
The Slovak cybersecurity firm ESET said in a blog that the attack on the Kiev Metro systems was a variant of the Petya ransomware upon which NotPetya was also based—though NotPetya was eventually determined to be wiper malware, designed to permanently damage data, not collect ransom.
Bad Rabbit has also reportedly spread to Poland and South Korea. US-CERT has advised the infected not to pay the ransom, saying it “does not guarantee that access will be restored.” In a statement, CrowdStrike Vice President Adam Meyers said the infections appear to have originated from the Russian news and celebrity gossip site argumentiru.com.
Despite rumours, Talos reports there are no signs Bad Rabbit is utilising the EternalBlue exploit previously employed by WannaCry.
Update: Avast has now reported the first Bad Rabbit infections detected in the United States. “We expect a growing number of detections in the hours ahead,” the firm says. Though don't despair just yet, Malware analyst Amit Serper, principal security researcher of Cybereason, has found a vaccine. See instructions in the tweet below:
I can confirm - Vaccination for #badrabbit:
Create the following files c:\windows\infpub.dat && c:\windows\cscc.dat - remove ALL PERMISSIONS (inheritance) and you are now vaccinated. :) pic.twitter.com/5sXIyX3QJl
— Amit Serper (@0xAmit) 24 October 2017