A fast-spreading ransomware outbreak is hitting Ukraine, Russia and beyond, McAfee and ESET cybersecurity companies confirmed.
The ransomware, dubbed Bad Rabbit and DiskCoder by different sources, has been reported to have hit the Kiev Metro, Odessa airport, Ukrainian ministries of infrastructure and finance, as well as targets in Russia and as far off as Turkey.
The Russian news wire service, Interfax, among the victims, suspended service. The only available story on its website as of 10:30 a.m. Tuesday was a note reading “Interfax news service not available due to hacker attack.”
Group-IB, a Russian security provider, said two other Russian media outlets were hit by Bad Rabbit.
{mosads}
Early in the day, ESET claimed the ransomware is a variant of the NotPetya threat that targeted Ukraine this summer and ultimately spread to major international firms including the shipping firm Maersk. While it appears there is some overlap in the code, researchers at Kaspersky Lab determined that core aspects of programming came from other sources, including the legitimate encryption product DiskCryptor.
Like NotPetya, Bad Rabbit appears to use multiple methods — including an alleged stolen, National Security Agency (NSA) hacking tool — to traverse networks.
Bad Rabbit uses the same red on black lettering as NotPetya to declare that files have been encrypted on the infected system and that a user can pay a ransom to retrieve them.
Initial reports say that Bad Rabbit first infects networks via a fake Adobe Flash update. Then it infects other computers on the same network by harvesting credentials and possibly using a patched vulnerability in Windows known as EternalBlue.
EternalBlue was one of a number of hacking tools leaked by the group the ShadowBrokers, who claim to have stolen their wares from the NSA.
–This report was updated at 2:37 p.m.