October 25, 2017 by

Russian News Outlets Hacked to Launch Global Ransomware Attack

Hackers have reportedly borrowed code from the Petya ransomware again to target global organizations with compromised Russian news media outlets.

A new ransomware, dubbed Bad Rabbit, is being spread by a handful of compromised Russian media news outlets and other websites. Named after the dark website where cybercriminals are demanding extortion payments, early victims include major Russian media organizations Interfax, Fontanka.ru and the Kiev Metro service.

According to Forbes, the Ukrainian Computer Emergency Response Team added that the Odessa Airport was also compromised, warning of “a possible start of a new wave of cyberattacks to Ukraine’s information resources.”

Victims of the ransomware are being redirected to Tor network website Bad Rabbit where they see a demand for 0.05 bitcoin (approx. $286) to decrypt their files.

According to Russian cybersecurity firm Group-IB and Kaspersky Lab, users were infected after visiting a handful of Russian media websites where a fake Adobe Flash installer was inserted. Upon clicking the malicious link, the user became infected.

The ransomware outbreak isn’t spreading as quickly as WannaCry or NotPetya but countries with infected PCs include Germany, South Korea, Bulgaria, Turkey, Ukraine, Poland and Russia.

Kaspersky Lab’s head of anti-malware research Vyacheslav Zakorzhevsky said:

According to our data, most of the victims targeted by the attacks are located in Russia. Based on our investigation, this has been a targeted attack against corporate networks, using methods similar to those used during the [NotPetya] attack. However, we cannot confirm it is related to [NotPetya].

A portion of the Bad Rabbit code, a basic process algorithm, was determined to be entirely similar to NotPetya by Group-IB. Subsequently, a Kaspersky official confirmed a connection between NotPetya and Bad Rabbit.

We followed the path and found a network of other hacked sites that worked in the same way, except they weren’t distributing anything back in July. Some time ago the injected scripts in all these sites changed to a new IP and earlier today they started distributing the Bad Rabbit ransomware.

Image credit: 

About the author

Image of Author

LIFARS is the global leader in Digital Forensics and Cyber Resiliency Services. Our experience spans two decades working on high profile events, often in concert with Law Enforcement Agencies around the world. Our proprietary methodology derives directly and indirectly from our experience working with and for U.S. Intelligence Agencies, Interpol, Europol, and NATO. We are solely dedicated to Cyber Resiliency and thus pay close attention to all aspects of our clients’ engagements experience while providing a strategic and integrated array of services to minimum risk and disruption while protecting your brand.

Related articles

Robots are Now Vulnerable to Ransomware Attacks

Security researchers have put the spotlight on malware affecting humanoid robots with the first...

Read more arrow_forward

Free Decryption Tool Brings Respite to Victims of Aggressive Ransomware

A new and unusual family of ransomware has met its match after a ransomware tool backed by Europol...

Read more arrow_forward

Ransomware is ‘Modern-Day Extortion’, Says McAfee CEO

The chief executive of cybersecurity firm McAfee has labelled ransomware as the modern day answer to...

Read more arrow_forward