Another global hack? ‘BadRabbit’ ransomware spreading rapidly in Ukraine, Russia

CERT-LatestNews ThreatsStrategic

The computer networks of multiple organisations in Ukraine, Russia and Germany have reportedly been impacted by a widespread malware outbreak, reports suggest.

According to multiple cybersecurity firms, the virus now spreading is dubbed “BadRabbit” and is a form of ransomware that locks down machines and demands bitcoin from administrators.

Screenshots of the malware infections posed to social media suggest that BadRabbit asks for 0.05BTC for decryption, which is the equivalent of £215 ($280).

Reports indicate that the Kiev Metro, Odessa naval port and Odessa airport were infected. Two Russian news outlets, Interfax and Fontanka, reported outages.

On 24 October 2017, Interfax tweeted: “Due to hacker attack Interfax servers failed. The technical services shall take all measures to restore the work systems.

“While core resources Interfax remain inaccessible due to the attacks, we publish news on our Facebook.”

Eset, a Slovakian cybersecurity company, said that upon initial analysis the malware was “Diskcoder.D” – otherwise known as “Petya“. The same variant was responsible for a major cyberattack in June earlier this year which eventually spread across the globe.

The security firm suggested that infections were growing.

ESET‘s telemetry has detected hundreds of occurrences of Diskcoder.D,” it said, adding: “Most of the detections are in Russia and Ukraine, however, also there are reports of computers in Turkey, Bulgaria and other countries are affected.

ESET security researchers are working on a comprehensive analysis of the Diskcoder.D malware.

“According to their preliminary findings, Diskcoder.D uses the Mimikatz tool to extract credentials from the affected systems. Apart from this, it has also a hardcoded list of credentials.”

In a blog post, Moscow-based cybersecurity firm Kaspersky Lab said the majority of victims so far were located in Russia, but stressed that its probe remains ongoing.

It elaborated: “We have also seen similar but fewer attacks in Ukraine, Turkey, and Germany. This ransomware has infected devices through a number of hacked Russian media websites.

“Based on our investigation, this is a targeted attack against corporate networks, using methods similar to those used in the ExPetr [Petya] attack. However, we cannot confirm it is related to ExPetr. We continue our investigation.” The firm urged victims not to pay the ransom.

The previous Petya cyberattack spread via a hacked software update from a company called MeDoc.

The origins of the latest incident – and exactly how it is spreading – was not immediately clear. Preliminary evidence indicated that a malicious Adobe Flash update was involved.

Months earlier, in May 2017, a strain of ransomware called “WannaCry” spread to hundreds of thousands of computers in 150 countries. In the UK, it knocked some of the National Health Service (NHS) computer networks offline, resulting in operational delays and closures.

Both Petya and WannaCry were linked to a stolen National Security Agency (NSA) exploit called “EternalBlue“, released online by a mysterious unit dubbed The Shadow Brokers in March.

At least one security researcher suggested that EternalBlue was used in the BadRabbit attack.

WannaCry targeted the Windows’ Server Message Block (SMB) protocol and was ultimately stopped by Marcus Hutchins, a 22-year-old security expert now facing a US federal indictment for allegations unrelated to his work on the massive ransomware outbreak.

Microsoft’s Malware Protection Centre said it was investigating the potential outbreak.

ransom noteThe Diskcoder.D ransom note ESET