Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

‘Bad Rabbit’ Ransomware Attack Hits Russia, Ukraine

Several major organizations in Russia and Ukraine were hit in the past few hours by a ransomware named “Bad Rabbit.” The incident reminds of the massive attack involving NotPetya malware, which ended up costing companies millions of dollars.

Several major organizations in Russia and Ukraine were hit in the past few hours by a ransomware named “Bad Rabbit.” The incident reminds of the massive attack involving NotPetya malware, which ended up costing companies millions of dollars.

Few details are known so far about the Bad Rabbit attack, which has the potential to cause significant damage.

Infected computers display a screen informing users that their files have been encrypted and instructing them to access a website over the Tor anonymity network. The Tor site tells victims to pay 0.05 bitcoin, worth roughly $283, to obtain the key needed to recover the encrypted files. However, the price goes up if the ransom is not paid within two days.

Bad Rabbit page on Tor - Credit Bart Blaze

The list of organizations reportedly hit by the Bad Rabbit ransomware includes Russian media outlets Interfax and Fontanka, the airport in Odessa, the Kiev subway, the State Aviation Service of Ukraine, and the Transport Ministry of Ukraine. Interfax and others said the attack disrupted their operations.

Researchers are still analyzing the malware, but initial reports claim Bad Rabbit has been distributed via fake Flash Player updates. Some said the ransomware also leverages the Mimikatz post-exploitation tool for lateral movement within the compromised network. Kaspersky’s Anton Ivanov revealed that the threat uses code from a legitimate disk encryption utility named DiskCryptor.

Security firm ESET said the malware appears to be a new variant of NotPetya, also known as Diskcoder, Petya, Petrwrap, exPetr and GoldenEye. However, this has not been confirmed by other researchers. ESET reported that while most infections are in Russia and Ukraine, some compromised machines were also detected in Turkey, Bulgaria and other countries.

There are also some reports that Bad Rabbit uses SMB – specifically the NSA-linked EternalBlue exploit – to spread, just like NotPetya. However, this hasn’t been confirmed either.

The attack does remind of NotPetya, which started spreading via a software update from a Ukrainian company. However, NotPetya turned out to be a wiper instead of ransomware.

Advertisement. Scroll to continue reading.

The fact that another major attack has hit Ukraine is not surprising considering that the country’s Security Service warned earlier this month about a possible large-scale cyberattack on state organizations and private companies. The agency said the purpose of the attack would be to disrupt IT systems and destabilize the situation in the country.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.