Advertisement

New Ransomware ‘Bad Rabbit’ Spreading Quickly Through Russia and Ukraine

There’s a potentially massive new ransomware spreading in eastern Europe.

|
Oct 24 2017, 3:39pm

Image: GettyImages

UPDATE, Oct 25, 4:14 p.m. ET: The infrastructure behind Bad Rabbit appears to be down.


A new wave of ransomware has hit several targets in Russia and Eastern Europe on Tuesday, according to media reports and several security companies.

The malware, dubbed Bad Rabbit, has hit three Russian media outlets, including the news agency Interfax, according to Russian security firm Group-IB. Once it infects a computer, Bad Rabbit displays a message in red letters on a black background, an aesthetic used in the massive NotPetya ransomware outbreak.

The ransom message asks victims to log into a Tor hidden service website to make the payment of 0.05 Bitcoin, valued at around $282 at the time of writing. The site also displays a countdown of a little bit over 40 hours before the price of decryption goes up.

A screenshot of the Bad Rabbit onion site. Image: Motherboard

At this point, it's unclear who's behind the attack, who all the victims are, how the malware is spreading, or where it originated. Interfax said on Twitter that due to a cyberattack its servers are down. The airport of Odessa, in Ukraine, was also hit by a damaging cyberattack on Tuesday, but it's unclear if it's been hit by Bad Rabbit.

Advertisement

The Ukrainian computer emergency agency CERT-UA posted an alert on Tuesday morning warning of a new wave of cyberattacks, without clearly mentioning Bad Rabbit.

A Group-IB spokesperson said that a "new mass cyberattack" Bad Rabbit has targeted Russian media companies Interfax and Fontanka, as well as targets in Ukraine such as the airport of Odessa, the Kiev subway, and the Ministry of Infrastructure of Ukraine.

Kaspersky Lab, a security firm based in Moscow, said that that "most" Bad Rabbit infections are in Russia. Some also in Ukraine, Turkey and Germany. The company called Bad Rabbit "a targeted attack against corporate networks."

"According to our data, most of the victims targeted by these attacks are located in Russia. We have also seen similar but fewer attacks in Ukraine, Turkey and Germany. This ransomware infects devices through a number of hacked Russian media websites," Kaspersky Lab's Vyacheslav Zakorzhevsky, the head of the anti-malware research team, said in a statement. "Based on our investigation, this has been a targeted attack against corporate networks, using methods similar to those used during the ExPetr[NotPetya] attack. However we cannot confirm it is related to [NotPetya]."

ESET, another security company based in the Czech Republic, confirmed that there's a live ransomware campaign. The company said in a blog post that at least in the case of the Kiev Metro, the malware is "a new variant of ransomware known also as Petya." NotPetya itself was also a variant of Petya. ESET said it has detected "hundreds" of infections.

Advertisement

A researcher from Proofpoint said that Bad Rabbit spread via a fake Adobe Flash Player installer. Researchers from Kaspersky Lab confirmed this, and added that the malware dropper—the file that launches the malware—was distributed via booby-trapped legitimate sites, "all of which were news or media website."

The fake Flash update is not the only way Bad Rabbit spread, according to ESET. The ransomware also tries to infect computers inside the same local network as the infected one via the Windows data sharing protocol SMB, and then using the open source post-exploitation tool Mimikatz.

Initially, very few antivirus companies detect Bad Rabbit as malicious, according to malware repository VirusTotal. Security researcher also uploaded a sample of the malware on Hybrid Analysis, a free alternative to VirusTotal.

A researcher from McAfee said that Bad Rabbit encrypts a wide variety of files, including .doc, .docx, .jpg and other common type of files. According to several researchers, Bad Rabbit contains references to Game of Thrones, specifically the names of three dragons, Drogon, Rhaegal, and Viserion.

The hackers also put a reference to the 1995 movie Hackers in their code. As part of a list of default credentials that the malware uses to target computers, there are the following passwords: love, secret, sex, god, the four most common passwords according to the movie.

This story has been updated several times throughout the day.

Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at lorenzo@jabber.ccc.de, or email lorenzo@motherboard.tv

Get six of our favorite Motherboard stories every day by signing up for our newsletter.

More from motherboard