News
News & events
Alert: Bad Rabbit Ransomware Attack - Strikes Ukraine and Russia‎
2017-10-24

On 24th October in Russia and Ukraine a largescale cyber attack took place using a new cryptolocker – BadRabbit. Amongst victims, this affected computers and servers of the Kiev metro, the Ministry of Infrastructure and Odessa International Airport, as well as a number of state organisations in the Russian Federation. Victims in the Russian Federation included Federal news sites and commercial organisations. Infections have also been reported in Bulgaria, Japan, Turkey and Germany.

 

Infection took place after visiting compromised legitimate sites. Group-IB identified that Bad Rabbit was spread via web traffic from compromised media sites, amongst them were:

 

http://www.fontanka.ru/

 http://argumenti.ru

 http://argumentiru.com

 

The user was displayed a window with a suggestion to update FlashPlayer. If the user agreed to this update, a malicious file named install_flash_player.exe is downloaded: (FBBDC39AF1139AEBBA4DA004475E8839 - MD5 hash), and infects the host.

 

For decryption the attacks requested 0,05 bitcoin (at current exchange rates this is around 283 USD). After infection the malware raised privileges on the local machine for spreading. On local network this took place by SMB, using extraction of LSASS passwords from the compromised computer, or an internal password library.

 

After infection, the victim sees the following window:


What is Bad Rabbit?

 

Bad Rabbit is a previously unknown ransomware family.

 

How is Bad Rabbit distributed?

 

The ransomware dropper was distributed with the help of drive-by attacks. While the target is visiting a legitimate website, a malware dropper is being downloaded from the threat actor’s infrastructure. No exploits were used, so the victim would have to manually execute the malware dropper, which pretends to be an Adobe Flash installer. However, our analysis confirmed that Bad Rabbit uses the EternalRomance exploit as an infection vector to spread within corporate networks. The same exploit was used in the ExPetr.

 

We’ve detected a number of compromised websites, all of which were news or media websites.

 

Whom does it target?

 

Most of the targets are located in Russia. Similar but fewer attacks have also been seen in other countries – Ukraine, Turkey and Germany. Overall, there are almost 200 targets, according to the KSN statistics.

 

Since when does Kaspersky Lab detect the threat?

 

We have been proactively detecting the original vector attack since it began on the morning of October 24. The attack lasted until midday, although ongoing attacks were detected at 19.55 Moscow time. The server from which the Bad rabbit dropper was distributed went down in the evening (Moscow time).

 

How is it different to ExPetr? Or it is the same malware?

 

Our observations suggest that this been a targeted attack against corporate networks, using methods similar to those used during the ExPetr attack. What’s more, the code analysis showed a notable similarity between the code of ExPetr and Bad Rabbit binaries.