Bad Rabbit: a new wave of attacks using a ciphering virus

Several Russian media and Ukrainian organizations were attacked by the Bad Rabbit coder. In particular, hackers attacked three Russian media, including Interfax and Fontanka.

On October 24, a new large-scale cyber attack began using the Bad Rabbit cipher virus. The malware struck the computer networks of the Kiev Metro, the Ministry of Infrastructure, the Odessa International Airport. Several victims were found in Russia - as a result of the attack, the editorial offices of the federal media, such as Interfax and Fontanka, suffered.

Kill Switch: you must create a file C: \ windows \ infpub.dat and set it read-only. In this case, even when infected, the files will not be encrypted.

Most likely the virus spreads through hacked websites, prompting users to install a flash player update:
')


A preliminary analysis shows that the malware spreads through a number of infected sites of the Russian media. All signs indicate that this is a targeted attack on corporate networks.

After penetrating the victim's computer, the malware encrypts user files. To restore access to the coded data, it is proposed to pay a ransom in the amount of 0.05 bitcoin, which at the current rate is approximately equivalent to 283 US dollars or 15,700 rubles. At the same time, attackers warn that in case of delay the price for decryption will increase.



Details about the distribution scheme of Bad Rabbit are not yet available. It is not clear whether the files can be decrypted. But it is already known that most of the victims of the attack are in Russia. In addition, similar attacks were recorded in Ukraine, Turkey and Germany, but in much smaller numbers.



About the hacker attack reported and the press service of the Kiev Metro. Hackers managed to violate the possibility of payment of travel using contactless bank cards. "Attention! Cyber ​​attack! The metro works in the usual mode, except for banking services (payment by contactless bank cards on the yellow turnstile or MasterPass), ”the official account of the Kiev metro on Facebook reports.

The attackers ask their victims to follow the link leading to the TOR-site , which runs an automatic counter. After payment, on the assurances of intruders, the victim must receive a personal key to decryption.



The methods of distribution and consolidation in the system are not yet known, and there is also no reliable information about the presence of decryption keys.

Kaspersky Lab employees recommend the following actions:

Block the execution of the file c: \ windows \ infpub.dat, C: \ Windows \ cscc.dat.
Disable (if possible) the use of the WMI service.

The post will be updated as information becomes available.