A new ransomware attack dubbed “Bad Rabbit” is sweeping Russia and Ukraine, among other Eastern European countries, according to several reports.
It’s too early to tell how far reaching the event will be, or at this time who has been hit thus far, but a series of reports concerning attacks on Ukrainian transportation and infrastructure have alarms blaring.
Russian cybersecurity firm Group-IB reports that at least three Russian media outlets have been attacked, counting as well “state institutions and strategic objects in Ukraine as its victims.” The firm told Motherboard that an airport in Odessa, the Kiev subway, and the Ministry of Infrastructure of Ukraine had all been affected by a “new mass cyberattack.”
Russian news agency Interfax announced via Twitter that it was working to restore its systems after hackers took down its servers.
Once infected, victims are directed to a Tor-hidden website whereupon a ransom of 0.05 Bitcoin is demanded (about $280 at the time of writing). If the ransom is not paid within roughly 40 hours, the cost of decrypting the lost data is increased. The ransom message, a red font on a black background, appears to be similar to one used in the NotPetya attacks this june.
According to the Moscow-based Kaspersky Lab, Bad Rabbit infections have been detected in Turkey and Germany as well. “Based on our investigation, this is a targeted attack against corporate networks, using methods similar to those used in the [NotPetya] attack,” the firm reported. “However, we cannot confirm it is related to [NotPetya]. We continue our investigation.”
Slovak cybersecurity firm ESET said in a blog that the attack on the Kiev Metro systems was a variant of the Petya ransomware upon which NotPetya was also based—though NotPetya was eventually determined to be wiper malware, designed to permanently damage data, not collect ransom.
According to ESET, the attack has also spread to Bulgaria and several other countries.
Update, 5:06pm: Bad Rabbit has reportedly spread to Poland and South Korea. US-CERT has advised the infected not to pay the ransom, saying it “does not guarantee that access will be restored.” In a statement, CrowdStrike Vice President Adam Meyers said the infections appear to have originated from the Russian news and celebrity gossip site argumentiru.com.
Despite rumors, Talos reports there are no signs Bad Rabbit is utilizing the EternalBlue exploit previously employed by WannaCry.
Good news! Malware analyst Amit Serper, principal security researcher of Cybereason, has found a vaccine. See instructions in the tweet below:
Update, 6:35pm: Avast reports the first Bad Rabbit infections detected in the United States. “We expect a growing number of detections in the hours ahead,” the firm says.
This is a developing story.
Correction: A previous version of this article identified ESET as a Czech cybersecurity firm. It is Slovak. We regret the error.