Wave of BadRabbit ransomware strikes Russia and Ukraine

File-encrypting ransomware known as BadRabbit has taken down a number of big Russian news sites, including Russian news bureau Interfax and Fontatka. 

The same malware has reportedly taken down computer systems at Odessa international airport in Ukraine, computers at the Kiev subway system, and Ukraine’s ministry for transport, according to Russian news site DP.ru. 

The sudden spike in infections is reminiscent of the NotPetya outbreak that began spreading on June 27.  

Russian security firm Group-IB has posted an image of the ransom page victims see on an infected computer. It’s also posted an image of the dark web site victims are told to visit has title “Bad Rabbit” on the page, which demands victims pay 0.5 BTC to obtain the key to decrypt files.    

Security firm ESET managed to get a sample of the ransomware and has posted details on VirusTotal. At the time of writing six antivirus products were detecting it, though that number will likely rise quickly. ESET calls the malware Win32/Diskcoder.D.

ESET malware analyst Jiri Kropac said in a tweet that BadRabit was spreading through a fake Adobe Flash Player update. He also posted an image of the fake update to back up the claim. The malware had also incorporated the Mimikatz tool for attacking Windows, which allows the attacker to retrieve cleartext passwords and password hashes from memory.    

Kaspersky reports the malware is using similar techniques as NotPetya but could not confirm a connection to it. It’s also observed smaller scale observed attacks in Turkey and Germany, according to its post.

Kaspersky, which has updated its products to block BadRabbit, notes that Windows users that don't use its products should: 

  • Block the execution of the file c: \ windows \ infpub.dat, C: \ Windows \ cscc.dat.
  • Disable (if possible) the use of the WMI service.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags ransomwarecyber securityNotPetyaExPetyaBadRabbit

More about AdobeBTCESETKaspersky

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Brand Page

Stories by Liam Tung

Latest Videos

More videos

Blog Posts