Russian hackers who carried out NotPetya ransomware behind Bad Rabbit ransomware outbreak

Posted October 26, 2017

The U.S. Computer Emergency Readiness Team said late Tuesday it "has received multiple reports of ransomware infections ... in many countries around the world".

This has been the year businesses have been forced to face up to the reality of widespread and devastating ransomware attacks, and recent reports suggest a new malware could be emerging right as the world continues to count the cost of the risky WannaCry and Petya viruses.

Later, Kaspersky Lab issued a statement that the cyber attack appeared to have originated in Russian Federation before also affected some corporate sites in Turkey and Germany.

"Whether it's possible to get back files encrypted by Bad Rabbit (either by paying the ransom or by using some glitch in the ransomware code) isn't yet known", Mr Perekalin continued, adding Kaspersky's anti-virus experts were investigating the incident.

A new strain of malware called "Bad Rabbit" was found in Ukraine and elsewhere on the 24 October 2017, according to Kaspersky Lab.

Russian Federation has been hit hardest but computers in Turkey and Germany are also reported to be affected.

The ransomware has been named Bad Rabbit by Kaspersky Lab though to be fair it seems that's the name the creators of this malware gave to their weapon.

Officials said Bad Rabbit is a variant of Petya, a family of encrypting ransomware that emerged a year ago. Affected users are also being asked not to pay ransom to the hackers as there's no guarantee that the latter would stick to their word. Researchers at Cisco Talus say Bad Rabbit also has a trick in its hat, an SMB component which allows it to move laterally across an infected network and propagate without user interaction.

'Some might say - why after WannaCry and NotPetya are systems still unpatched?

News broke earlier about the spread of a new form of ransomware going by the name of Bad Rabbit.

He further said that gateway solutions like Sophos Email Appliance, Sophos Web Appliance, Sophos SG and Sophos XG UTM customers are able to prevent infection both by using anti-virus identities and through the use of proactive sandboxing technology.

Researcher Kevin Beaumont discovered that the author (s) appear to be fans of Game of Thrones; BadRabbit creates scheduled tasks named after Daenerys Targaryen's dragons, Drogon, Rhaegal and Viserion, as well as a reference to the Unsullied fighter Grey Worm (very different to the skin disease greyscale). "These exploits were probably not used in this campaign as they are now well-known and monitored attack vectors".

Meanwhile, the Independent reports that Cybereason claims to have a vaccine against the virus.

These show some of the sites compromised to display the fake Adobe Flash updates were hit as far back as early September 2016. Later on, victims are diverted to a malicious site hxxp://1dnscontrol.com/flash_install.ph site which suggests installing the fraudulent Flash Player. The program just pretends to be Flash to fool people into downloading it.