A ransomware attack was directed at Russian-Based media outlets and enterprises in Ukraine including Odessa airport and public transportation system of Kiev. The ransomware was dubbed Bad Rabbit and is linked to the ExPetr or NotPetya which also targeted organizations located in Ukraine and Russian and distributed wiper malware.
According to security researchers at Kaspersky who investigated the attacks of the ransomware, the outbreak was distributed using drive-by downloaded attacks from legitimate websites.
One of the targeted company, Russian-based Interfax, reported on Twitter that its services are temporarily down due to the ransomware attack. The dropper is spread out via fraudulent Adobe Flash Player downloader.
According to Kaspersky, Bad Rabbit attacks were also detected in Turkey and Germany as well, approximately 200 targets in total.
All the victims must open the malicious file named install_flash_player.exe in order to get the infection because there are no exploits involved. In addition, the executable cannot work without the victim’s permission, it uses Windows UAC prompt to receive necessary elevated privileges. Is it runs as supposed to, the executable captures infpub.dat (a file-encrypting malware). The executable also could operate brute-forcing NTLM login credentials for devices running Windows operating system with pseudorandom IP.
This ransomware infects devices through a number of hacked Russian media websites. Based on our investigation, this has been a targeted attack against corporate networks, using methods similar to those used during the ExPetr attack. However, we cannot confirm it is related to ExPetr. We continue our investigation.
Meanwhile, the ExPetr attacks were detected in June and announced to be more dangerous as infamous WannaCry.
Similarly, the cybercriminals behind the ExPetr attacks distributed the malware via the leaked NSA exploit EternalBlue.
Once the attacks started, a shipping company in Denmark Maersk and Russian-based oil company Rosneft have reported the infections and impacts on their businesses. The ExPetr was uncovered as a wiper.
When it comes to Bad Rabbit, the infpub.dat file also installs additional malicious file dispci.exe, which establishes tasks in the registry to open the executable. Interestingly, the tasks appear as names of dragons in Game of Thrones.
Kaspersky Lab indicates:
The executable dispci.exe appears to be derived from the code base of the legitimate utility DiskCryptor. It acts as the disk encryption module which also installs the modified bootloader and prevents the normal boot-up process of the infected machine.
The ransomware asks for 0.05 Bitcoin ransom demand. However, after one hour the price increases.