Massive New Ransomware Attack Hits Eastern Europe

Print Email

A new variation of the “NotPetya” ransomware that hit thousands of government and private computer systems in June has been reported to have struck hundreds of targets in Eastern Europe. The attack was aimed primarily at Russia and Ukraine, but systems in Bulgaria, Germany and Turkey have also been affected.

CNN reported that the attack, posing as an updater to the Adobe Flash program, has also been detected in the United States and Japan.

The new malware has been dubbed “Bad Rabbit” and uses the same code base as the NotPetya attack. A disk encryption module installs a modified bootloading program that prevents the normal booting process in an infected machine.

When a user tries to boot an infected machine, the malware displays a screen message demanding payment in order to decrypt and release the files. The U.S. Computer Emergency Readiness Team (US-CERT) discourages individuals and organizations from paying the ransom because payment does not guarantee that access will be restored.

Among the most high-profile targets thus far are major news outlets such as Russia’s Interfax Agency, and Ukraine’s Kiev Metro, its Odessa International Airport, and ministries of infrastructure and finance, according to a report at Dark Reading.

If there is a bit of good news, cybersecurity experts do not expect Bad Rabbit to cause as much damage as the Petya, NotPetya and WannaCryransomware attacks that struck earlier this year. A researcher at security vendor ESET said:

Considering the infection capabilities we discovered in the samples, spreading outside Ukraine is theoretically possible but much less likely than in the June NotPetya case, due to the lack of EternalBlue spreading mechanism.

The earlier malware attacks used an exploit called “Eternal Blue” that is believed to have been developed by the U.S. National Security Agency and was leaked online in April by a hacker group that calls itself the Shadow Brokers. Bad Rabbit does not have the worm-like code used by Eternal Blue, instead employing hard-coded stolen credentials to perform its dirty work.