Reports appeared on Tuesday that a new ransomware outbreak was hitting organisations in Russia and Ukraine. Victims included the Russian newswire Interfax, Ukraine's Odessa airport, and the Kiev subway system. Media outlets like Fontanka.ru found their website's disrupted by the attack, and urged readers to follow them on social media for updates while systems were restored.
The ransomware, which was dubbed "BadRabbit", showed a number of similarities to the hard-hitting NotPetya attack which successfully attacked organisations in Russia, Ukraine and elsewhere earlier in the year. NotPetya is thought to have initially been spread via a malware-infected update to accounting software widely used in Ukraine. NotPetya hit hard, costing some companies hundreds of millions of dollars worth of damage. Researchers at Group-IB, however, identified that BadRabbit had been distributed in a different fashion - using a number of compromised news websites as a means of infecting computers. Compromised sites included:
- fontanka.ru
- argumentiru.com
- grupovo.bg
- sinematurk.com
- aica.co.jp
- spbvoditel.ru
- argumenti.ru
- mediaport.ua
- an-crimea.ru
- www.t.ks.ua
- most-dnepr.info
- osvitaportal.com.ua
- otbrana.com
- pensionhotel.cz
- online812.ru
- imer.ro
- novayagazeta.sbp.ru
- i24.com.ua
- ankerch.crimea.ru
Visitors to the compromised sites found themselves greeted by a pop-up urging them to install a Adobe Flash update onto their Windows PCs.
Of course, the downloaded file did not originate from Adobe, and was a disguise for the ransomware. The use of phoney security updates to infect innocent users' computers with malware is nothing new, of course. Once again this is evidence that an attack does not have to be highly sophisticated to succeed. In addition, the ransomware contains an SMB component that allows the attack to spread laterally through an organisation, exploiting poorly-chosen passwords to find other computers to infect. Once a PC was infected, BadRabbit could begin to do its main dirty work - encrypting files, and displaying a ransom message on the victim's screen.
Oops! Your files have been encrypted. If you see this text, your files are no longer accessible. You might have been looking for a way to recover your files. Don't waste your time. No one will be able to recover them without our decryption service.
The message was clear. If you wanted your files back (and didn't have a secure backup) you would have to pay 0.05 Bitcoin (just under US $300) via a TOR network site set up by the criminals.
The payment site is presented with some flourish, as letters "decrypt" on the screen. And it's from here that security researchers got the name "BadRabbit" for the malware - even though there are references in the ransomware's code to three dragons from "Game of Thrones": Viserion, Drogon, and Rhaegal. Precisely who is responsible for the NotPetya and BadRabbit ransomware attacks isn't yet known. But we be making a big mistake to underestimate their determination. As researchers at Kaspersky explained, it was clear that the attackers had been busy for months, setting up their network of hacked sites in preparation for the BadRabbit assault. The good news is that BadRabbit has not hit companies as hard as its predecessors like WannaCry and NotPetya. Although some firms outside Russia and Ukraine did find themselves affected, the ransomware appears to have - for now - run out of steam. But that doesn't mean any of us can afford to rest on our laurels. The best response to the current wave of ransomware attacks is to ensure that you are prepared *before* you become a victim. Make sure to read our further tips on how to protect your organisation from ransomware. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
