The United Sates government has issued a warning of a new ransomware attack spreading through Russia, Ukraine and other Eastern European countries. The ransomware, named Bad Rabbit, disguises itself as an Adobe update, and demands money before unlocking the files.
BadRabbit – pretty much everywhere
In Russia and Ukraine, the ransomware has already seeped in through media companies and transportation systems. The ransomware has also been detected in other countries including the United States, Japan and Germany. Some cases have also been detected in Bulgaria, South Korea and Poland.
The Russian news agency, Interfax, stated that some of their services were affected by the attack, and they are working to get it fixed. Similarly, Ukraine’s Odessa airport stated that after systems went down, the passenger data had to be processed manually, leading to a delay. Kiev’s metro system also reported a hack on its payment system, but stated that trains were running normally, according to Firstpost.
Kaspersky says that the Russian news group Fontanka.ru has also been impacted by Bad Rabbit. Kaspersky believes that Bad Rabbit is somewhat related to the malware NotPetya or ExPetr. The security firm also found that Bad Rabbit and Petya appeared on several of the same hacked websites. “Our researchers have detected a number of compromised websites, all news or media sites,” Kaspersky said in a blog post.
The United States Department of Homeland Security has asked the public not to pay any ransoms, and report the matter to the Federal Bureau of Investigation through the government’s Internet Crime Complaint Center.
What do experts know so far?
Users of the infected system land on a .onion Tor domain, where they need to pay .05 Bitcoin or approximately $276 to get their data back. Thereafter, a countdown pops up on the screen showing the amount of time before the ransom price shoots up, notes TechCrunch.
Reports suggest that after the ransomware hits the initial machine in a network, it then uses the source tool Mimikatz to hunt for the login credentials stored on the machines, and tries to use those credentials to infect other machines, notes Tom’s Guide. Yevgeny Gukov of Russia’s Group IB-IT security firm said that the malware could be deploying an encryption code that blocks analysts from decoding the malicious code.
Robert Lipovsky, a malware researcher at cyber-security firm ESET, believes it to be a well-coordinated attack as the new ransomware was able to infect a lot of critical infrastructure and institutions in such a short time frame. CERT-A, the Computer Emergency Response Team of Ukraine has also confirmed that Bad Rabbit could be the “new wave of cyberattacks to Ukraine’s information resources.”
Speaking to Wired, Costin Raiu, the director of Kaspersky’s global research and analysis team, said that an attack of this degree indicates that the brains behind ExPetr/NotPetya have been planning the Bad Rabbit attack since July. According to researchers, Bad Rabbit does not use EternalBlue, the Windows exploit. The exploit was used by NotPetya and WannaCry ransomware attacks.
In good news, Amit Serper, a malware researcher at Cybereason, tweeted that he has found a way to vaccinate the computer against the Bad Rabbit infection. “Create the following files c:\windows\infpub.dat && c:\windows\cscc.dat – remove ALL PERMISSIONS (inheritance) and you are now vaccinated. :)” Serper tweeted.