The U.S. government has issued a warning about a new ransomware attack that spread through Russia and Ukraine and into other countries around the world.
Cybersecurity experts said the ransomware — which posed as an Adobe update before locking down computers and demanding money for people to get their files back — targeted Russian media companies and Ukrainian transportation systems. It has also been detected in other countries including the U.S., Germany and Japan.
The U.S. Computer Emergency Readiness Team said late Tuesday it “has received multiple reports of ransomware infections … in many countries around the world.”
Dubbed “Bad Rabbit,” the virus is the latest example of cybercriminals using ransomware to try to extort money from victims across the globe. Two major international attacks earlier this year — NotPetya and Wannacry — caused widespread disruption affecting businesses, government institutions and hospitals.
When Bad Rabbit infects a computer, it seizes files and demands a ransom. Experts and government agencies advise victims not to pay up, warning that there’s no guarantee they will get their files back.
On Tuesday, the virus attacked Russian media groups Interfax and Fontanka, and transportation targets in Ukraine including Odessa’s airport, Kiev’s subway and the country’s Ministry of Infrastructure of Ukraine, according to Russian cybersecurity firm Group-IB. Interfax confirmed its servers had gone down due to a cyberattack.
Most of the victims were located in Russia, but attacks were also observed in Ukraine, Turkey, and Germany. Cybersecurity firm ESET also identified cases of Bad Rabbit in Japan and Bulgaria. Another company, Avast, says the ransomware has been detected in the U.S., South Korea and Poland.
Ties to previous attack
The number of victims appeared to be significantly smaller than the NotPetya attack, which struck Ukraine and spread to other countries in June, doing hundreds of millions of dollars of damage to some major companies.
Experts said there were clear links between the two viruses.
Vyacheslav Zakorzhevsky, head of the anti-malware research team at Russian cybersecurity firm Kaspersky Lab, said the company’s investigation shows the Bad Rabbit attack targeted corporate networks using similar methods as NotPetya.
Costin Raiu, director of the Global Research and Analysis Team at Kaspersky Lab, said in a message the Bad Rabbit attack was launched through “an elaborate network of hacked websites,” with a link to NotPetya.
Group-IB also identified similarities between the NotPetya code and that of Bad Rabbit.
Virus used popular malware trick
The Bad Rabbit ransomware infiltrated computers by posing as an Adobe Flash installer on compromised news and media websites. It serves as a reminder that people should never download apps or software from pop-up advertisements or websites that don’t belong to the software company.
ESET says once the ransomware infected a machine, it scanned the network for shared folders with common names and attempted to steal and exploit user credentials to get on other computers.
Researchers say Bad Rabbit doesn’t use EternalBlue, the Windows exploit that was leaked in a batch of hacking tools believed to belong to the U.S. National Security Agency. The NotPetya and WannaCry ransomware attacks did use EternalBlue.
It’s unclear who’s behind Bad Rabbit, but the attackers appear to be “Game of Thrones” fans. The ransomware code contains references to characters from the popular book and TV series like Grey Worm and Daenerys’ dragons.
Many anti-virus software detects Bad Rabbit, including Windows Defender. A researcher from Cybereason discovered a “vaccine” that the company said can protect machines from infection.
According to malware researcher James Emery-Callcott, the ransomware campaign is slowly dying down.
“As far as I can see, the attacker’s server is no longer live and most of the infected sites hosting the script that gives the Flash update prompt” have fixed the issue, he said. “Fake Flash updates are an incredibly popular method of distributing malware these days. Hopefully people will start to realize that when you get an unsolicited Flash update, it’s generally going to be bad.”