Hackers have reportedly borrowed code from the Petya ransomware again to target global organizations with compromised Russian news media outlets.
A new ransomware, dubbed Bad Rabbit, is being spread by a handful of compromised Russian media news outlets and other websites. Named after the dark website where cybercriminals are demanding extortion payments, early victims include major Russian media organizations Interfax, Fontanka.ru and the Kiev Metro service.
According to Forbes, the Ukrainian Computer Emergency Response Team added that the Odessa Airport was also compromised, warning of “a possible start of a new wave of cyberattacks to Ukraine’s information resources.”
Victims of the ransomware are being redirected to Tor network website Bad Rabbit where they see a demand for 0.05 bitcoin (approx. $286) to decrypt their files.
According to Russian cybersecurity firm Group-IB and Kaspersky Lab, users were infected after visiting a handful of Russian media websites where a fake Adobe Flash installer was inserted. Upon clicking the malicious link, the user became infected.
The ransomware outbreak isn’t spreading as quickly as WannaCry or NotPetya but countries with infected PCs include Germany, South Korea, Bulgaria, Turkey, Ukraine, Poland and Russia.
Kaspersky Lab’s head of anti-malware research Vyacheslav Zakorzhevsky said:
According to our data, most of the victims targeted by the attacks are located in Russia. Based on our investigation, this has been a targeted attack against corporate networks, using methods similar to those used during the [NotPetya] attack. However, we cannot confirm it is related to [NotPetya].
A portion of the Bad Rabbit code, a basic process algorithm, was determined to be entirely similar to NotPetya by Group-IB. Subsequently, a Kaspersky official confirmed a connection between NotPetya and Bad Rabbit.
We followed the path and found a network of other hacked sites that worked in the same way, except they weren’t distributing anything back in July. Some time ago the injected scripts in all these sites changed to a new IP and earlier today they started distributing the Bad Rabbit ransomware.