A new ransomware attack named BadRabbit is spreading through Russia, Ukraine, and other Eastern European countries. Targeting corporate networks, computer systems for the Kiev Metro, Ukraine’s Odessa International Airport, several Russian media outlets, and others have been affected, with systems encrypted and computers displaying a ransom message.
Cybersecurity researchers at ESET and Kaspersky are among the organizations keeping watch. Both say the authors have ties with Petya, the ransomware attack that spread worldwide earlier this summer. Cybersecurity firm Kaspersky found that both Petya and BadRabbit appeared on dozens of the same hacked websites, according to a report from Wired. Both spread by using the Windows Management Instrumentation Command-line, a scripting interface for managing devices and applications in a network, along with Mimikatz, a tool for harvesting passwords and other data from computers. "This indicates that the actors behind ExPetr / NotPetya have been carefully planning the BadRabbit attack since July," Kaspersky tells Wired.
ESET says one of the methods used to distribute BadRabbit is through drive-by download, where Javascript is injected into a website’s HTML body or a .js file. When someone then visits a compromised site, a pop-up saying Flash Player needs to be updated tricks victims into downloading and installing the malware themselves. ESET tells Wired it believes this was only one method, and possibly a “smoke screen.”
Once a computer is infected, victims are sent to a page on the Tor browser that demands .05 Bitcoins (about $275) within around 41 hours, in exchange for the decryption of the data and access to the machine. If time expires, the ransom increases.
Although BadRabbit shows similarities to Petya, it’s still unclear who is behind the recent attack. The original Petya took down a number of government agencies and businesses earlier this year, mostly in Ukraine. Russia is a viable suspect for Petya, but all evidence tying the malware with any nation state has been circumstantial.