The post is being updated as our experts find new details on the malware.
We’ve already seen two large-scale ransomware attacks this year — we’re talking about the infamous WannaCry and ExPetr (also known as Petya and NotPetya). It seems that a third attack is on the rise: The new malware is called Bad Rabbit — at least, that’s the name indicated by the darknet website linked in the ransom note.
What is known at the moment is that Bad Rabbit ransomware has infected several big Russian media outlets, with Interfax news agency and Fontanka.ru among the confirmed victims of the malware. Odessa International Airport has reported on a cyberattack on its information system, though whether it’s the same attack is not yet clear.
The criminals behind the Bad Rabbit attack are demanding 0.05 bitcoin as ransom — that’s roughly $280 at the current exchange rate.
Details of the attack and its mechanism of spreading are still to be investigated, and whether it’s possible to get back files encrypted by Bad Rabbit (either by paying the ransom or by using some glitch in the ransomware code) isn’t yet known. Kaspersky Lab antivirus experts are investigating the attack, and we will be updating this post with their findings.
According to our data, most of the victims of these attacks are located in Russia. We have also seen similar but fewer attacks in Ukraine, Turkey, and Germany. This ransomware has infected devices through a number of hacked Russian media websites. Based on our investigation, this is a targeted attack against corporate networks, using methods similar to those used in the ExPetr attack. However, we cannot confirm it is related to ExPetr. We continue our investigation.
Kaspersky Lab’s products detect the attack with the following verdicts: UDS:DangerousObject.Multi.Generic (detected by Kaspersky Security Network) and PDM:Trojan.Win32.Generic (detected by System Watcher).
To avoid becoming a victim of Bad Rabbit:
Users of Kaspersky Lab products:
- Make sure you have System Watcher and Kaspersky Security Network running. If not, it’s essential to turn these features on.
- Block the execution of files c:\windows\infpub.dat and c:\Windows\cscc.dat.
- Disable WMI service (if it’s possible in your environment) to prevent the malware from spreading over your network.
Tips for everyone:
- Back up your data.
- Don’t pay the ransom.