X
Tech

Bad Rabbit ransomware: A new variant of Petya is spreading, warn researchers

Updated: Organisations in Russia, Ukraine and other countries have fallen victim to what is thought to be a new variant of ransomware.
Written by Danny Palmer, Senior Writer

Bad Rabbit, a ransomware infection thought to be a new variant of Petya, has apparently hit a number of organisations in Russia and Ukraine.

In a tweet, Russian cybersecurity firm Group-IB said that at least three media organisations in the country have been hit by file-encrypting malware.

At the same time, Russian news agency Interfax said its systems have been affected by a "hacker attack".

"Interfax Group's servers have come under a hacker attack. The technical department is taking all measures to resume news services. We apologize for inconvenience," Interfax said in a statement.

badrabbit.png

Bad Rabbit ransom note

Image: Kaspersky Lab

On Facebook, Interfax said it had been hit by a "virus" and that it was taking "technical measures" to restore systems.

Meanwhile, several Ukrainian organisations have posted about systems failing: payment systems on the Kiev Metro appear to have fallen victim to the attack, while in a statement on its Facebook page, Odessa International Airport said its information system had been hit by hackers.

"We inform that the information system of the International Airport "Odessa" suffered a hacker attack," a translation of the post says.

CERT-UA, the Computer Emergency Response Team of Ukraine, also posted that the "possible start of a new wave of cyberattacks to Ukraine's information resources" had occurred, as reports of Bad Rabbit infections started to come in.

Cybersecurity researchers at ESET are among those monitoring the attack and have identified the ransomware encrypting some computers to be Diskcoder.D -- which appears to be new variant of the ransomware known also as Petya, a particularly vicious form of file-encrypting malware which hit organisations around the globe in June.

Bad Rabbit shares some similarities with Petya - the ransom note looks almost identical and it can also use SMB to propagate across the infected network. However, researchers say much of the code appears to have been rewritten in this case.

Bad Rabbit also uses the Trojan-like Mimikatz tool to extract credentials from affected systems, something Petya didn't do.

"ESET's telemetry has detected hundreds of occurrences of Diskcoder.D. Most of the detections are in Russia and Ukraine, however, also there are reports of computers in Turkey, Bulgaria and other countries are affected," it said.

See also: Ransomware: An executive guide to one of the biggest menaces on the web

Kaspersky Lab researchers say the cryptography behind this ransomware is called Bad Rabbit; victims are sent to a page with the same title on Tor in order to pay a ransom of 0.05 Bitcoins ($286) to get access to their files back. The note also features a timer counting down from just over 41 hours, telling the user they need to pay within that time or face the ransom going up.

Researchers also note that Bad Rabbit uses attack methods "similar" to June's Petya attack, but as of yet haven't confirmed a link with the previous incident, or if it has the capability to spread as widely.

"Based on our investigation, this is a targeted attack against corporate networks, using methods similar to those used in the ExPetr attack," Kaspersky Lab researchers said, adding that one of the methods of distribution is a drive-by attack which drops the malware from compromised websites.
In a Tweet, Kaspersky Lab director of Global Research and Analysis said that some of the compromised websites - including Bakhmut, Ukraine's municipality website - have been hacked since July this year.

A number of security vendors say their products protect against Bad Rabbit. But for those who want to be sure they don't potentially fall victim to the attack, Kaspersky Lab says users can block the execution of file 'c: \ windows \ infpub.dat, C: \ Windows \ cscc.dat.' in order to prevent infection.

At this point, it's too soon to be able to identify the culprit is behind the Bad Rabbit attack. But, whoever it is, they appear to be a fan of Game of Thrones: the code contains references to Viserion, Drogon, and Rhaegal, the dragons which feature in television series and the novels it is based on.

More on this story as it develops

Related coverage

Ransomware: Security researchers spot emerging new strain of malware

'Magniber' ransomware could potentially be an experiment by people behind the Cerber ransomware family.

Think cybercriminals are happy about the rise of ransomware? Think again

Ransomware is growing, but its rise has split opinion among cybercriminals.

READ MORE ON CYBERCRIME

Editorial standards