back to top
World

New Ransomware Attack Spreading Across Russia, Ukraine

The Interfax news agency and the subway system in Kiev, Ukraine's capital, are among the targets.

Originally posted on
Updated on

#BadRabbit #cryptor requires 0.05 BTC for decryption. #ransomware

A ransomware attack is spreading across Russia and Ukraine, crippling multiple news agencies and transportation systems.

The ransomware, dubbed "Bad Rabbit" by its creators, appears to function like a conventional ransomware, encrypting victims’ computers and demanding a bitcoin ransom — in this case, .05 BTC, or about $282 — for an unproven promise to restore a network to normal.

According to a statement by the Russian cybersecurity firm Group-IB provided to BuzzFeed News, the attack so far has shut down at least two Russian news outlets, the giant privately owned Interfax and a smaller independent agency, Fontanka. Three major Ukrainian targets, the Kiev Metro, the Odessa Airport, and the nation’s Ministry of Infrastructure, are also affected.

Kaspersky Labs, Russia's most prominent cybersecurity firm, said in a statement that it had observed the same strain of ransomware affect a handful of targets in Turkey and Germany.

“Due to a hacker attack, our servers are not working. Technical services are using all measures to restore the system,” Interfax tweeted.

“The Fontanka server has been attacked by hackers. The site may be unavailable for several hours. We continue to make news. Read us in our official accounts in social networks, VKontakte and Facebook,” Fontanka said in a statement on its Facebook page.

A third Russian media network, 47news.ru, was also affected. “After the attack of terrorist hackers on the Fontanka, the ghouls reached 47news. We will put important [news] here and on VKontakte,” it wrote on its Telegram channel.

Odessa Airport wrote on its official Facebook page that it was “facing a hacking attack” that hadn’t stopped flights but was responsible for delays.

It’s not yet clear how Bad Rabbit spreads. A previous, widespread ransomware outbreak, dubbed both Petya and NotPetya, hit multiple targets in Ukraine in June, then infected entire companies around the globe, including shipping giant Maersk and the international pharmaceutical company Merck. The attack is estimated to have cost businesses hundreds of millions of dollars. The damage was worsened by the fact that the creators of the ransomware didn’t fulfill their end of the bargain: Users who paid the bitcoin ransom for NotPetya said that they never received a working decryption key for their computers.

NotPetya’s range relied on a leaked tool called EternalBlue, widely acknowledged by researchers as originally developed by the US National Security Agency. EternalBlue, which exploits unpatched, older versions of the Windows operating system, was itself leaked in April by a mysterious “hacker” group calling itself the Shadow Brokers. It’s still unclear how the group acquired the tool.

Researchers are still analyzing Bad Rabbit to see if its decryption keys work, if it can be stopped without paying a key, and if it’s a variant of NotPetya.

Some, however, say that Bad Rabbit shares clear similarities.

“Based on our investigation, this has been a targeted attack against corporate networks,” Vyacheslav Zakorzhevsky, head of anti-malware research team at Kaspersky Lab, said in a statement.

Bad Rabbit uses similar methods as NotPetya, Zakorzhevsky said, but it's still too early to say the two strains are actually related.

One thing, however, is clear: Bad Rabbit's authors are fans of Game of Thrones. As spotted by FireEye researcher Nick Carr, its code includes references to two of the three modern dragons in the show and book series.

@lalkaboltalka @TekDefense Named scheduled tasks for persistence & privesc Dropper: drogon BADRABBIT: viserion


Kevin Collier is a cybersecurity correspondent for BuzzFeed News and is based in New York.

Contact Kevin Collier at kevin.collier@buzzfeed.com.

Jane Lytvynenko is a reporter for BuzzFeed News and is based in Toronto, Canada. PGP fingerprint: A088 89E6 2500 AD3C 8081 BAFB 23BA 21F3 81E0 101C.

Contact Jane Lytvynenko at jane.lytvynenko@buzzfeed.com.

Got a confidential tip? Submit it here.