Organizations in Ukraine and Russia have been hit by a new ransomware copy called Bad Rabbit, which would be a Petya ransomware variant that spread this summer, reports anti-virus company
ESET. The malware would have infected hundreds of systems.
Among the victims are the Kiev metro, the Odessa airport and the Ukrainian ministries, according to the virus fighter. Anti-virus company
Kaspersky Lab announces that most victims are in Russia. For example, the Russian press agency
Interfax has been hit by the ransomware. The press office reports that the news services are not available because of the attack. "Based on our research, it is a targeted attack on corporate networks through methods similar to the ExPetr attack," said Kaspersky researcher Alex Perekalin. ExPetr is one of the names given to the Petya variant of this summer.
According to Kaspersky Lab, Bad Rabbit ransomware is spread through a number of hacked Russian media websites. ESET researcher
Lukas Stefanko , Proofpoint researcher
Darien Huss and the known anti-virus veteran
Vesselin Vladimirov Bontchev warn that ransomware is on websites as an
update for Flash Player . As soon as a user downloads and opens this so-called update, the Bad Rabbit ransomware will be activated on the system. Bad Rabbit tries to spread on the network. To do this, a list of common passwords is used, and Bad Rabbit tries to steal login data through the Mimikatz tool.
Bad Rabbit encrypts files and, like Petya, overwrites the Master Boot Record (MBR) of the hard drive. Therefore, the system becomes unusable. The ransomware claims victims 240 euros for decrypting the files. Whether victims pay the ransom to recover their files is still unknown. Organizations are advised to block executing files c: \ windows \ infpub.dat and c: \ windows \ cscc.dat and, if possible, disable Windows WMI service so that ransomware can not spread further .
Initially, ESET researcher Stefanko reported that the EternalBlue operation was also used. This does not appear to be the case at all. The article has been modified.
The attackers knew to hack several media and news sites. Then there was a malicious code that offered the so-called Flash Player update. Most infections have been observed in Russia, followed by Ukraine, Bulgaria and Turkey. According to ESET, all major companies are affected at the same time. "It is possible that the attackers already had access to the network and launched the attack through the websites at the same time as distraction," said Marc-Etienne M.Léveillé of ESET. He notes that there are no indications that employees of affected organizations have been stepped into the so-called Flash Player update. Anti malware company
Malwarebytes announces that the attackers behind Bad Rabbit are likely to be responsible for the Petya / NotPetya variant of last June.
In the meantime, several technical analyzes of Bad Rabbit have appeared online. :
-
Bitdefender
-
Cisco
-
ESET
-
Kaspersky Lab
-
Malwarebytes
-
McAfee
-
Qualys
According to
Costin Raiu of Kaspersky Lab, the attackers behind Bad Rabbit would have been working on setting up the network of hacked websites since July. The attackers had access to, inter alia, Russian, Turkish, German and Bulgarian websites.