BadRabbit ransomware has hit at least three Russian media companies including Russian business newswire Interfax which became unable to deliver some of its news services, and Ukrainian infrastructure has also been hit.
Moscow-based cyber-security firm Group-IB issued a screen shot on its twitter account showing how computers infected with BadRabbit display a message that looks similar to the NotPetya ransomware.
An email to SC Media UK from Evgeny Gukov of Group-IB said that Group-IB is, “... investigating #BadRabbit #cryptor attacked a number of Russia's major media....stay tuned,” but did not name the other media attacked, though Fontanka is believed to be another.
Bloomberg has reported Interfax director Yuri Pogorely saying on his Facebook page that engineers are working to restore access to services after the news service faced an “unprecedented virus attack.”
State institutions and strategic infrastructure in Ukraine have also been hit including Odessa airport, the Kyiv subway, and the Ministry of Infrastructure of Ukraine according to press reports monitoring Group-IB coverage of the attack on Telegram.
Bloomberg reports Ilya Sachkov, Group-IB founder saying that the virus affected some of the servers, working stations and mail servers and that, “Operations totally halted in some of the affected companies and somewhere this led to a halt of the work of web resources.”
Vyacheslav Zakorzhevsky, head of anti-malware research team at Kaspersky Lab says, “According to our data, most of the victims targeted by these attacks are located in Russia. We have also seen similar but fewer attacks in Ukraine, Turkey and Germany.” He told SC Media UK in an email, “This ransomware infects devices through a number of hacked Russian media websites. Based on our investigation, this has been a targeted attack against corporate networks, using methods similar to those used during the ExPetr attack. However we cannot confirm it is related to ExPetr. We continue our investigation.”
The statement recommends its corporate customers make sure that all protection mechanisms are activated as recommended; and that KSN and System Watcher components (which are enabled by default) are not disabled. For non-Kaspersdky customers it recommends restricting execution of files with the paths c:\windows\infpub.dat and C:\Windows\cscc.dat using the System Administrator's instruments
Chris Doman, security researcher at AlienVault, who is also currently investigating the malware adds:"This wouldn't be the first time that an airport in Ukraine suffered a destructive cyber-attack and we are currently investigating to determine the strength of the links to the NotPetya attacks. There are reports that the mechanism involves using the tool Mimikatz to steal passwords to spread in a worm-like fashion but so far the damage does not seem as wide spread as WannaCry or NotPetya."