A new ransomware called BadRabbit is spreading across Russia, Ukraine, plus other eastern European countries, targeting corporate networks including airports, rail transits, and media outlets.
Computers affected with BadRabbit receive a ransom message asking for 0.5 bitcoins, or about $275, to have their systems decrypted and returned to normal.
BadRabbit Ransomware Spreads
Cybersecurity researchers at ESET and Kaspersky, just two of the groups trying to monitor the spread of BadRabbit, both speculate that the originators of this new ransomware has ties with NotPetya, an earlier ransomware that wreaked havoc globally.
Kaspersky discovered that NotPetya and BadRabbit were similarly present on dozens of hacked websites. What's more, both of those ransomware were activated via the Windows Management Instrumentation Command-Line, a device manager tool, in addition to Mimikatz, a password and data mining tool. Kaspersky says this means the agents responsible for NotPetya has known about BadRabbit and has been planning its launch since July.
One of the ways BadRabbit was spread is via drive-by download, which injects Javascript into a site's HTML body. When a computer visits that infected site, a site dialog box pops up saying Flash Player requires an update. Obviously, clicking yes will result in downloading and installing the malware. This is a fairly uncommon method of malware distribution.
For now, the outbreak pales in comparison with the amount of computer systems NotPetya affected, but it has hit important Russian media outlets such as Interfax, a newswire; Ukraine's Odessa airport; and the Kiev subway system. BadRabbit clobbered their IT operations and disabled the subway system's credit card payments, said one government official from Ukraine.
"The dangerous aspect is the fact that it was able to infect many institutions which constitute critical infrastructure in such a short timeframe," Robert Lipovsky, a malware researcher from ESET. As mentioned, this means the attack was planned long ago, probably after the agents rigorously studied how to infiltrate those hard-to-crack institutional systems.
BadRabbit Ransomware: What Are Its True Motives?
If NotPetya and BadRabbit do in fact come from the same agents, that raises important questions about their true intent. Some researchers had found, after reverse-engineering NotPetya, that NotPetya wasn't actually ransomware: victims couldn't recover their files even after paying the ransom. This means NotPetya, and possibly even BadRabbit, simply acted as a destructive malware but disguised as ransomware to break and handicap systems of Ukrainian targets.
Even so, the victims were all Russians themselves, which also raises question whether NotPetya truly originated from Russian agents.
Again, BadRabbit asks for a 0.5-bitcoin ransom, but whether paying as such results to recovery of files remains to be determined.