Bad Rabbit, as the outbreak is being dubbed, is primarily attacking targets in Russia, but it's also infecting computers in Ukraine, Turkey and Germany, researchers from Moscow-based Kaspersky Lab said. In a blog post, the antivirus provider reported that the malware is using hacked Russian media websites to display fake Adobe Flash installers, which when clicked infect the computer visiting the hacked site. Researchers elsewhere said the malware may use other means to infect targets.
Bad Rabbit appears to specifically target corporate networks by using methods similar to those used in a June data-wiping attack dubbed "NotPetya" that shut down computers around the world. Bad Rabbit infects Windows computers and relies solely on targets manually clicking on the installer, Kaspersky Lab said. So far, there's no evidence the attack uses any exploits.
Russia's Interfax news agency reported on Twitter that a hacker attack has taken out some of its servers and forced it to rely on its Facebook account for the time being. Russian forensics firm Group IB said Bad Rabbit has infected two other Russian media outlets besides Interfax. In nearby Ukraine, computer systems for the Kiev Metro, Odessa airport, and Ukrainian ministries of infrastructure and finance have also been affected, according to a blog post published Tuesday morning by antivirus provider Eset. Meanwhile, the Ukrainian computer emergency agency CERT-UA also posted an advisory on Tuesday morning reporting a series of cyberattacks, without specifically naming the malware used in those attacks.
Preliminary analysis indicates the malware is professionally developed and incorporates a variety of advanced measures designed to allow it to rapidly infect large government and corporate networks. Security researcher Kevin Beaumont said on Twitter that Bad Rabbit uses a legitimate, digitally signed program called DiskCryptor to lock targets' hard drives. Kaspersky Labs' blog post said the executable file dispci.exe appears to be derived from DiskCryptor and is being used by Bad Rabbit as the disk encryption module.
Reply With Quote
Bookmarks