A new ransomware attack known as “Bad Rabbit” began to spread on Oct. 24, with Ukraine and Russia bearing the brunt of the initial impact. Both ESET and security firm Kaspersky Lab have noted that there are also limited reports of Bad Rabbit impacting systems in Turkey, Bulgaria and Germany.
Among the early victims of the attacks, was Russia’s Interfax news agency which revealed that a number of its servers were taken offline by Bad Rabbit. The Ukranian version of CERT (CERT-UA) issued an advisory for the potential of widespread ransomware attacks. Among the infrastructure attacked in Ukraine by BadRabbit is the Kiev Metro and the Odessa airport.
According to security firm ESET, the malware used to attack the Kiev Metro was a new variant of the Petya ransomware family. Another Petya variant known as NotPetya, was responsible for a global cyber-attack in June 2017 that also initially started with attacks against the Ukraine.
The name Bad Rabbit comes from the title of the ransomware page that exploited users are directed to after being infected by the ransomware. The initial ransom the attackers have asked for is 0.05 Bitcoin, which is worth approximately $283 dollars. The attackers have warned on their ransom page that if not paid, the ransom will increase.
The attack vector used by Bad Rabbit appears to be similar to other recent ransomware attacks including both NotPetya and WannaCry, according to security researchers.
“It seems to be delivered via malicious URL as fake flash update and then using EternalBlue and Mimikatz for lateral movement and further spreading,” security consultant Xaviar Merten, wrote in an update on the ISC diary.
The EternalBlue exploit is a vulnerability in the Microsoft SMB (server message block) protocol implementation, that was allegedly first discovered and used the U.S. National Security Agency. EternalBlue was publicly released by a group known as the Shadow Brokers on April 14, though it was patched by Microsoft in its MS17-010 update on March 14. Mimikatz is an open-source credential extraction tool that is popular with both penetration testers as well as malicious attackers.
One peculiar fact discovered by Kaspersky Lab when analyzing the Bad Rabbit ransomware is that the code uses names are taken from the popular book and TV franchise Game of Thrones. Among the Game of Thrones names found in the Bad Rabbit source code are GrayWorm, rhaegal, drogon and viserion.
At this stage, there are at least two different malware files used in the Bad Rabbit attack that some antivirus technologies are able to detect. According to an analysis by antivirus engine testing platform virustotal, approximately only 17 out of 66 different anti-virus vendor tools are able to detect the Bad Rabbit malware files.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.