A ransomware attack has put a halt to business inside a handful of Russian media outlets and a number of major organizations in the Ukraine, including Kievâ€™s public transportation system and the countryâ€™s Odessa airport.
The attacks are known as Bad Rabbit and harken back to the ExPetr/NotPetya attacks of this summer which also concentrated in Ukraine and Russia, but instead spread wiper malware used in the Petya attacks of 2016.
Todayâ€™s outbreak is spreading via drive-by download attacks from legitimate news sites, according to researchers at Kaspersky Lab who published anÂ [Login to see the link]. Russiaâ€™sÂ [Login to see the link]Â is one such agency reporting its services are down because of the attack. Host sites are infected with a dropper in the guise of a phony Adobe Flash Player installer. Kaspersky Lab said it has observed victims in Turkey and Germany as well, counting almost 200 targets.
There are no exploits involved in this attack, Kaspersky Lab said, and victims must manually launch the downloaded file namedÂ install_flash_player.exe. The executable requires elevated privileges to run, and uses a Windows UAC prompt to obtain them, again with the victimâ€™s permission. If the executable runs as expected, it grabs a file-encrypting malware called infpub.dat, Kaspersky Lab said, adding that the file may be capable of brute-forcing NTLM login credentials for Windows machines with pseudorandom IP addresses.
â€œThis ransomware infects devices through a number of hacked Russian media websites. Based on our investigation, this has been a targeted attack against corporate networks, using methods similar to those used during the ExPetr attack,â€� Kaspersky Lab said in a statement. â€œHowever, we cannot confirm it is related to ExPetr.Â We continue our investigation.â€�
[Login to see the link]Â emerged in late June and was quickly scrutinized as more dangerous than WannaCry, which spread globally just a month earlier. Like WannaCry, the attackers behind ExPetr used the leaked NSA exploit EternalBlue to spread the malware. In the early hours of the attack, Danish shipping giants Maersk and Russian oil company Rosneft wereÂ [Login to see the link]Â and impacts to their respective businesses. It was eventually determined that ExPetr was not a ransomware attack, but aÂ [Login to see the link].
The infpub.dat file prominent in todayâ€™s attack will also install another malicious executable called dispci.exe. It creates tasks in the registry to launch the executable; the tasks are named after the dragons in Game of Thrones: Viserion, Drogon and Rhaegal. Thereâ€™s also a reference to a Game of Thrones character GrayWorm in the code.
â€œThe executableÂ dispci.exeÂ appears to be derived from the code base of the legitimate utility DiskCryptor,â€� Kaspersky Lab said. â€œIt acts as the disk encryption module which also installs the modified bootloader and prevents the normal boot-up process of the infected machine.â€�
DiskCryptor is a freely available open source full disk encryption system for Windows, and can be used to encrypt a hard drive or partitions.
Victims are presented with a ransom demand of 0.05 Bitcoin, a timer counting down toward an hour when the price goes up.
Researchers at ESET, meanwhile, have said that the disk encryption executable can be spread via SMB. The Mimikatz pen-testing tool is also aunched on the compromised machine and steals credentials in addition to a list of hardcoded usernames and passwords.