Bad Rabbit ransomware: A new variant of Petya is spreading warn researchers

Security News ThreatsCybercrime Uncategorized

Bad Rabbit, a ransomware infection thought to be a new variant of Petya, has apparently hit a number of organisations in Russia and Ukraine.

In a tweet, Russian cyber security firm Group-IB said that at least three media organisations in the country have been hit by encrypting malware.

At the same time Russian news agency Interfax said its systems have been affected by a ‘hacker attack’.

“Interfax Group’s servers have come under a hacker attack. The technical department is taking all measures to resume news services. We apologize for inconvenience.” Interfax said in a statement.


Bad Rabbit ransom note

Image: Kaspersky Lab

On Facebook, Interfax said it had been it by a “virus” and that it is taking “technical measures” to restore systems

Meanwhile, several Ukrainian organisations have posted about systems failing – payment systems on the Kiev Metro appear to have fallen victim, while in a statement on its Facebook page, Odesea International Airport says its information system has been hit by hackers.

“We inform that the information system of the International Airport “Odessa” suffered a hacker attack,” reads a translation of the post.

CERT-UA, the Computer Emergency Response Team of Ukraine, also posted the “possible start of a new wave of cyber attacks to Ukraine’s information resources” as reports of Bad Rabbit infections started to come in.

Cybersecurity researchers at ESET are among those monitoring the attack and have identified the ransomware encrypting some computers to be Diskcoder.D, — a new variant of ransomware known also as Petya, a particularly vicious form of file-encrypting malware which hit organisations around the globe in June.

ESET say the ransomware is being spread by a fake Flash update using EternalBlue – the same leaked NSA exploit which aided the spread of WannaCry and Petya. EternalBlue leverages a version of Windows’ Server Message Block (SMB) networking protocol in order to laterally spread through networks

Bad Rabbit also uses the Mimikatz tool to extract credentials from affected systems.

“ESET’s telemetry has detected hundreds of occurrences of Diskcoder.D. Most of the detections are in Russia and Ukraine, however, also there are reports of computers in Turkey, Bulgaria and other countries are affected,” it said.

Kaspersky Lab researchers say the cryptography behind this ransomware is called Bad Rabbit – victims are sent to a page with the same title on Tor in order to pay a ransom of 0.05 Bitcoins ($286) to get their files back. The note also features a timer counting down from just over 41 hours, telling the user they need to pay within that time or face the ransom going up.

Researchers also note that Bad Rabbit uses attack methods “similar” to June’s Petya attack – but as of yet haven’t confirmed a link with the previous incident, or if it has the capability to spread as widely.

A number of security vendors say their products protect against Bad Rabbit. But for those who want to be sure they don’t potentially fall victim to the attack, Kaspersky Lab says users can block the execution of file ‘c: \ windows \ infpub.dat, C: \ Windows \ cscc.dat.’ in order to prevent infection.

More on this story as it develops