Bad Rabbit Ransomware Spreads In Russia, Ukraine

A ransomware dubbed BadRabbit, believed to be a Petya variant, is hopping its way across Eastern Europe and Russia. Details are just starting to emerge, but it could also be tied to a string of ransomware attacks on critical infrastructure in Ukraine.

BadRabbit was first spotted attacking Russian media outlets on Tuesday, including the news agency Interfax, according to security firm Group-IB, which posted a screenshot of the ransom screen. Other security firms have followed with their own early research and detections, with the consensus being that the malware is a variant of the Petya ransomware. The attackers are demanding 0.05 bitcoin as ransom—or about $280 at the going exchange rate.

ESET researchers meanwhile reported this morning on a ransomware attack affecting targets in Ukraine, including the Kiev Metro, the Odessa airport and various governmental organizations. ESET analysis revealed it to be a new form of the Diskcoder ransomware, also a Petya variant, which infamously hit organizations in the Ukraine and globally back in June, including pharma behemoth Merck and Maersk, the shipping giant. ESET indicated that it believes Diskcoder is also BadRabbit by another name, though other security firms haven’t linked the two waves of attacks yet.

“Beyond the Bad Rabbit indicators and samples, security analysts should pay special attention to the companies and types of organizations that are affected,” said JASK director of security research Rod Soto, via email. “Targeted campaigns can use numerous look alike payloads, but the code may do different things in the background. It may look like a ransomware campaign by appearance, but actual payloads may differ depending on actual targets. This can only be determined by looking at all distributed malicious code, which is not easy, but circumstantial and geopolitical factors may give us a clue.”

Analysis is just starting on this latest wave of attacks, but ESET researchers have determined that the code used in the Ukraine attacks incorporates Mimikatz as a tool to extract credentials, and that it spreads via fake Flash updates. Separately, another ESET researcher said that it uses the EternalBlue exploit, as WannaCry and the Diskcoder attack in June did.

Kaspersky Lab meanwhile said in a preliminary post on the malware that hit the news outlets that early indicators show that the attacks are targeting corporate networks, mostly in Russia but also Ukraine, Turkey and Germany, and that it uses an infection vector similar to Petya (which it calls ExPetr)—but that it couldn't confirm yet whether the two are related.

“It's important to separate the infection vector (and spreading mechanisms) from the payload. In the past, worms and other malware would spread more covertly, but with ransomware, the primary goal is to be detected,” said ex-NSA computer scientist and Obsidian Security CTO Ben Johnson, via email. “It's more [of an] in-your-face cyber-attack than in the past. For the infection vector, attackers are getting smarter about how they compromise more systems, and we will continue to see campaigns like this because they work.”

Beyond what is being seen, there's always the chance that the motive isn't actually ransomware, he added.

“Perhaps ransomware is a nice distraction, or it generates some extra cash, but rather there is a more sinister payload embedded in the attack,” Johnson said. “I haven't looked at any technical information to suggest this, but criminals and attackers are getting smarter and more deliberate in how they operate.”

This story is developing, and more details are expected soon as security firms make their way through their analysis.

What’s Hot on Infosecurity Magazine?