The Daily Swig Web security digest

Down the rabbit hole: NotPetya 2.0 raises its head

James Walker | 25 October 2017 at 10:00

Kiev Metro, Odessa airport, and Russian media outlets hit by ransomware attack.

Following recent reports that hundreds of thousands of IoT devices are currently being recruited in the lead-up to a major botnet attack, a new wave of ransomware has been found to be sweeping across eastern Europe.

According to cybersecurity experts at Kaspersky Lab, public sources have confirmed that computer systems in the Kiev Metro, Odessa International Airport, and “a number of organizations in Russia” have been affected by the malware, dubbed Bad Rabbit.

In a separate announcement, websec firm Group-IB said victims in the Russian Federation included state-owned news sites Interfax, Fontanka, and Argumenti, while infections have also been reported in Bulgaria, Japan, Turkey, and Germany.

A suspected variant of the NotPetya ransomware, which swept through Ukraine and numerous other countries with devastating effect in June 2016, Bad Rabbit is being spread via traffic from the compromised sites.

After clicking on an illegitimate Flash Player update notification, a malicious Diskcoder.D file is downloaded and infects the host. Screenshot images provided by Group-IB depict a now all-too familiar ransomware page informing users that their files have been encrypted.

Reports indicate that Bad Rabbit is utilizing DiskCryptor, a legal, open-source software used for full drive encryption. In order to regain file access, Bad Rabbit is requesting 0.05 bitcoin (around $280).

“It is interesting to note that all these big companies were hit at the same time,” said Kaspersky malware researcher, Marc-Etienne Léveillé. “It is possible that the [threat actors] already had a foot inside their network and launched the watering hole attack at the same time as a decoy.”

Across the Atlantic, the US Computer Emergency Readiness Team (US-CERT) said it has received multiple reports of Bad Rabbit infections, and urged users to ensure their systems are updated.

“US-CERT discourages individuals and organizations from paying the ransom, as this does not guarantee that access will be restored,” the organization stated. “Using unpatched and unsupported software may increase the risk of proliferation of cybersecurity threats, such as ransomware.”