File-encrypting ransomware known as BadRabbit has taken down a number of big Russian news sites, including Russian news bureau Interfax and Fontatka.
The same malware has reportedly taken down computer systems at Odessa international airport in Ukraine, computers at the Kiev subway system, and Ukraine’s ministry for transport, according to Russian news site DP.ru.
The sudden spike in infections is reminiscent of the NotPetya outbreak that began spreading on June 27.
Russian security firm Group-IB has posted an image of the ransom page victims see on an infected computer. It’s also posted an image of the dark web site victims are told to visit has title “Bad Rabbit” on the page, which demands victims pay 0.5 BTC to obtain the key to decrypt files.
Security firm ESET managed to get a sample of the ransomware and has posted details on VirusTotal. At the time of writing six antivirus products were detecting it, though that number will likely rise quickly. ESET calls the malware Win32/Diskcoder.D.
ESET malware analyst Jiri Kropac said in a tweet that BadRabit was spreading through a fake Adobe Flash Player update. He also posted an image of the fake update to back up the claim. The malware had also incorporated the Mimikatz tool for attacking Windows, which allows the attacker to retrieve cleartext passwords and password hashes from memory.
Kaspersky reports the malware is using similar techniques as NotPetya but could not confirm a connection to it. It’s also observed smaller scale observed attacks in Turkey and Germany, according to its post.
Kaspersky, which has updated its products to block BadRabbit, notes that Windows users that don't use its products should:
- Block the execution of the file c: \ windows \ infpub.dat, C: \ Windows \ cscc.dat.
- Disable (if possible) the use of the WMI service.