New wave of data-encrypting malware crashes through Russia and Ukraine
A new, potentially virulent wave of data-encrypting malware is sweeping through Eastern Europe and has left a wake of outages at news agencies, train stations, and airports, according to multiple security companies Tuesday.
Bad Rabbit, as the outbreak is being dubbed, is primarily attacking targets in Russia, but is also infecting computers in Ukraine, Turkey and Germany, researchers from Moscow-based Kaspersky Lab said. The antivirus provider reported the malware is using hacked Russian media websites to infect devices. It appears to target corporate networks by using methods similar to those used in a June data-wiping attack dubbed NotPetya that shut down computers around the world.
Russia's Interfax news agency reported on Twitter that a hacker attack has taken out its servers and forced it to rely on its Facebook account for the time being. Russian forensics firm Group IB said Bad Rabbit has infected two other Russian media outlets besides Interfax. In nearby Ukraine, computer systems for the Kiev Metro, Odessa airport, and Ukrainian ministries of infrastructure and finance have also been affected, according to a blog post published Tuesday morning by antivirus provider Eset. Meanwhile, the Ukrainian computer emergency agency CERT-UA also posted an advisory on Tuesday morning reporting of a series of cyberattacks, without specifically naming the malware used in those attacks.
Preliminary analysis indicates the malware is professionally developed and incorporates a variety of advanced measures designed to allow it to rapidly infect large government and corporate networks. Security researcher Kevin Beaumont said on Twitter Bad Rabbit uses a legitimate, digitally signed program called DiskCryptor to lock targets' hard drives. He went on to say it relies on hard-coded credentials that are commonly used in enterprise networks for file sharing and takes aim at a particularly vulnerable portion of infected computers' hard drives known as the master boot record. Eset said the malware also uses the Mimikatz network administrative tool to extract credentials from the affected systems.
In at least some of the cases, Bad Rabbit uses fake Adobe Flash updates to trick targets into compromising their computers. Beaumont also noticed Bad Rabbit makes references to the popular fantasy drama series Game of Thrones, naming two scheduled tasks after dragons Drogon and Rhaegal and throwing in a reference to the dreaded skin disease known as GrayWorm.
Once Bad Rabbit infects a computer, it displays a message in orange letters on a black background. It directs users to a dark Web site that demands about $283 in Bitcoin to decrypt data stored on the encrypted hard drive. It's not yet known what happens if targets pay the ransom in an attempt to restore their data. The NotPetya malware was written in a way that made recovery impossible, a trait that has stoked theories that the true objectives of the attackers was to wipe data in an act of sabotage, as opposed to generate revenue from ransomware. It also remains who precisely is behind the attack.