'BadRabbit' Ransomware Targets Systems in Russia, Ukraine

A major ransomware set on is spreading beyond computers in Russia and Ukraine, which has so far targeted media outlets and transportation systems, according to security researchers.

The attack started on Tuesday and infected computers at Russian news agency Interfax, along with four other media outlets, according to security business firm Group-IB.

#BadRabbit #cryptor attacked a number of Russia's major media. @interfax_news flick.twitter.com/5iLNs131Ml
— Group-IB (@GroupIB_GIB) October 24, 2022

The ransomware, called BadRabbit, encrypts the estimator's files and then demands the victim visit a Tor hidden service website to pay a ransom of 0.05 in bitcoin, or $282. It threatens to heighten the cost if payment isn't made within over 40 hours.

The set on has been moving swiftly. "Iii media outlets were attacked a couple hours ago, then it was two more than," said Evgeny Gukov, a Group-IB spokesman.

File extensions that #BadRabbit encrypts. #cryptor #ransomware pic.twitter.com/LCHeIueFL7
— Group-IB (@GroupIB_GIB) October 24, 2022

Interfax confirmed the hack and stated company servers were failing.

The attack also hit the Kiev Metro, according to security business firm ESET, which analyzed the code and said it'due south based on the Petya malware, which was besides used for a global ransomware attack back in June. In that case, researchers suggested Petya was wiper malware disguised as ransomware, and encouraged those affected non to pay up.

This new ransomware is spreading over a fake Adobe Wink Player install that was distributed over twenty different websites that were hacked, according to ESET. Many of these sites are from Russian news outlets, only a few use the Ukrainian .ua domain.

Visitors to these tampered websites would have noticed a popup request them to download the artificial Adobe Flash Actor update. One time the ransomware installs, it'll then search the local network, looking for new computers to infect. The malicious code does this by using Microsoft Windows' Server Message Block protocol, a file-sharing feature that other ransomware attacks take also recently exploited.

A screenshot of the fake Adobe Flash installer.

In addition, the BadRabbit ransomware will launch Mimikatz, a hacking tool that tin can harvest passwords from compromised computers, according to ESET.

Security business firm Kaspersky Lab posted similar findings and said a "number of hacked Russian media websites" were distributing the false Adobe Wink installer as a way to trick victims into executing the programme.

"No exploits were used," Kaspersky said in a web log mail. That means the ransomware will merely infect if the victim manually executes the fake Flash installer.

Most of the attacks are hitting victims in Russia, merely some infections have besides spilled into Ukraine, Turkey and Germany, Kaspersky said. Based on the security business firm's data, "overall, there are almost 200 targets," and the attack is ongoing.

On Tuesday, CERT-UA, Ukraine's computer emergency response team, issued a statement, warning about the wave of attacks. Other institutions, similar the Odessa airport, also report experiencing a hack, but at this point, it's unclear if the attacks are related.

Security firm Avast has detected the BadRabbit attack targeting these countries.

Who might be backside Tuesday'south outbreak remains unknown. Nevertheless, the hacker appears to exist a Game of Thrones fan. Security researchers are finding references to the fantasy series in the ransomware's code, such as names of the three dragons.

It's too possible Tuesday's attack may have been launched through other means. ESET said information technology'south so far found no testify that the companies hit past the ransomware outbreak fell for the artificial Adobe Wink update.

That might hateful the mysterious culprit behind BadRabbit may have already been inside the companies' networks, and attacked them all at once. The fake Adobe Wink update was simply a decoy, ESET said.

Security firms say they program to release more than details about the assault throughout the twenty-four hour period.

Microsoft has issued an advisory on how administrators can protect their computers from attack. The latest update to Windows Defender Antivirus volition also discover and remove the threat.