Reports have surfaced of a new strain of ransomware called Bad Rabbit beginning to spread in Russia and Ukraine, initially targeting government and media institutions. Infections have also been seen in Turkey and Bulgaria, but the scope of the spread is still unclear.
The malware has affected systems at three Russian websites, including news services Interfax and Fontanka.ru; an airport in Ukraine; and an underground railway in Kiev.
Kaspersky and British IT security company ESET have both mentioned links to NotPetya but could not confirm whether the two strains were related. Kaspersky said:
‘Based on our investigation, this is a targeted attack against corporate networks, using methods similar to those used in the ExPetr [Kaspersky's name for NotPetya] attack. However, we cannot confirm it is related to ExPetr.'
Rik Ferguson, VP of security research at Trend Micro, tweeted that the ‘outbreak' has been blown out of proportion.
Bad Rabbit spreads itself through downloads, requiring a target to take action to install the ransomware - which takes the form of a bogus Adobe Flash installer. Only targets of interest are being infected so far, with We Live Security noting:
‘Server side logic can determine if the visitor is of interest and then add content to the page. In that case, what we have seen is that a popup asking to download an update for Flash Player is shown in the middle of the page.'
Once installed, the ransomware can move laterally within a network using SMB - similar to NotPetya. Malwarebytes said that the two strains were ‘probably prepared by the same authors':
‘Just like the previous edition, BadRabbit has an infector allowing for lateral movements, using SMB to propagate laterally with a hardcoded list of usernames and passwords. However, unlike NotPetya, it doesn't use EternalBlue and is more widely spread. (Impacted countries include Ukraine, Russia, Turkey, and Bulgaria).'
SentinelOne's chief security consultant, Tony Rowan, told us, ‘This latest outbreak confirms that attackers will reuse old code as long as it still has success. Indications are that this new variant continues to have success.'
Interestingly, Malwarebytes says that Bad Rabbit does not use EternalBlue to spread, while Rowan thinks it does. We have gone back to both for more information.
If they are infected, users are redirected to a TOR domain where they are asked to pay .05 Bitcoin (about $280), with a countdown to an increase in price. It is not yet clear whether users will get their files back or if, like NotPetya, they will simply be destroyed. Infected users have been advised not to pay the ransom.
Researcher Kevin Beaumont discovered that the author(s) appear to be fans of Game of Thrones; BadRabbit creates scheduled tasks named after Daenerys Targaryen's dragons, Drogon, Rhaegal and Viserion, as well as a reference to the Unsullied fighter Grey Worm (very different to the skin disease greyscale).
BadRabbit creates two scheduled tasks, named after the dragons from Game of Thrones. Also a reference to GrayWorm, the skin disease in GoT. pic.twitter.com/BfQxGrMwC0— Beaumont Porg, Esq. (@GossiTheDog) October 24, 2017
So far, two-thirds of infections have been seen in Russia, and just over 12 per cent in Ukraine.
Facebook told by Brussels-based court to stop tracking non-users and to delete all data held on them
Supply chain and manufacturing experience could give Dyson an important edge
New VR Zone Portal arcades open in London and Tunbridge Wells
Systems-on-a-chip with integrated AI features could make voice and facial recognition