Malware, Ransomware

BadRabbit ransomware spreading in Russia and the Ukraine, vaccine posted

Update 2! Several Russian news agencies and additional targets in Ukraine are reportedly being hit with cyberattacks, which the security firm GroupIB believes to be based on a new variant of Petya called BadRabbit.

GroupIB reported on Twitter that the Russian Interfax news agency is down due to a cyberattack. Interfax has confirmed the report and has continued posting news stories along with updates on its own situation on its Facebook page. Check Point said the Ukrainian targets included Kiev Metro (Ukrainian train services), Odessa Airport (Ukraine), Ukrainian ministries of infrastructure and finance.

Cybereason researcher Mike Iacovacci has posted a series of steps to take that will prevent a system from being infected with BadRabbit. Click here for the instructions.

Early reports indicate a BadRabbit is being spread through a fake Adobe Flash Player update that pops up on some Russian news media sites and the attacker is demanding a 0.05 bitcoin ransom, about $280. Images posted on Twitter show the ransom note is written in English even though no English speaking country has been reported hit.

At this early stage there is also some disagreement over whether or not the malware is using the same EternalBlue exploit or something similar that was successfully utilized by Wannacry and Petya earlier this year. Check Point noted that the lock screen displayed once a computer is encrypted, using the open source DiskCryptor software, is similar to what was used in Petya and NotPetya attacks.

"However, this is the only similarity we can observe between both malware, in all other aspects BadRabbit is a completely new and unique ransomware," Check Point said in a statement to SC Media. 

Dave Maasland, an ESET managing director, said in a tweet that EternalBlue is not in play with BadRabbit.

“Now we can confirm, no EternalBlue or any other SMB exploit inside, the SMB protocol is used only to check hardcoded credentials,” he tweeted.

However, Nick Carr, security consulting and incident response at Mandiant, posted on Twitter that BadRabbit drops and executes c:windowsinfpub.dat by ordinal function and he is expecting many similarities to EternalPetya with this new attack.

Adam Meyers, CrowdStrike's vice president of Intelligence, said the initial investigation suggests several parallels with NotPetya malware, although verification of these overlaps is ongoing at this time.

Crowdstrike also believes, "BadRabbit is likely delivered via the website argumentiru[.]com which is a current affairs, news and celebrity gossip website focusing on Russian and near-abroad topics. CrowdStrike Intelligence can confirm that this website was hosting a malicious JavaScript inject as part of a Strategic Web Compromise (SWC) attack on 24 October 2017,” Meyers told SC Media.

“There are reports that the mechanism involves using the tool Mimikatz to steal passwords to spread in a worm-like fashion but so far the damage does not seem as widespread as WannaCry or NotPetya,” said Chris Doman, security researcher at AlienVault.

First update includes information from Checkpoint.

Second update includes Cybereason vaccine Crowdstrike commentary.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.