BadRabbit, a new ransomware, the next big cyber attack since ‘NotPetya,’ has been spreading across Russia, Ukraine and other Eastern European countries. Ukraine’s Computer Emergency Response Team (CERT) has confirmed the news regarding the new wave of hacks infecting computer systems in the country.
According to media reports, the ransomware is targeting corporate networks, computer systems for the Kiev Metro, Ukraine’s Odessa International Airport and several Russian media outlets. The malware has also reached Turkey and Bulgaria in addition to Germany and a few other countries. Currently, ESET and Kaspersky’s cybersecurity researchers are keeping a track of the attack.
According to ESET, the malware used for the cyber attack was Diskcoder.D, which is a new variant of ransomware also known as Petya. In June this year, the previous variant of Diskcoder, NotPetya, was used in a damaging cyber attack on a global scale. According to Wired, Kaspersky has counted close to 200 BadRabbit victims out of which 50 or 60 are Ukrainian government computers. However, ESET estimated only 12. 2% of victims were from Ukraine while 65% of the victims were in Russia.
Speaking about the latest cyber attack, Roman Boyarchuk, the Head of the Center for Cyber Protection in Ukraine said, “A lot of systems have been manually disconnected because of the attack, in part to control the spread of the ransomware.” While the outbreak has affected only a small fraction of the size of the NotPetya epidemic, Kaspersky found strong evidence tying the new attack to the creators of the NotPetya ransomware. The cybersecurity firm noted 30 sites which were used to spread Petya also began the distribution of the BadRabbit malware on Tuesday.
The Director of Kaspersky’s Global Research and Analysis team, Costin Raiu, said, “This indicates that the actors behind ExPetr/NotPetya have been carefully planning the BadRabbit attack since July.” The new ransomware, according to Kaspersky, spreads by using the Windows Management Instrumentation Command Line in combination with user credentials the malware steals using the open source tool Mimikatz. Similar to NotPetya, BadRabbit also uses Microsoft’s Server Message Block protocol to spread between computers, using the credentials hardcoded into its software.
Despite the various similarities, it’s still unclear who is behind the recent attack. All computers affected with the malware were directed to a .onion Tor domain and asked to pay 0.05 Bitcoins or roughly $ 276 in exchange for their data. However, all infected users are discouraged from paying the ransom as it is not yet clear if BadRabbit actually decrypts the data after collecting the ransom.