Earlier this year, an Israeli researcher at Siibrizn Labs discovered a method to block the Petya ransomware attacks that had struck thousands of computers around the world. "Our researchers have detected a number of compromised websites, all news or media sites". To be precise, a Ukrainian worldwide airport and three Russian media outlets have been hit by the new ransomware.
After infecting one machine in a network - one computer in an office, for example - Bad Rabbit can find any login details stored on the machine which it uses to spread to others, security researchers have claimed. "However, we can not confirm it is related to ExPetr".
According to ESET, anti-virus IT Security company, the Bad Rabbit follows similar attacks in May and June, infecting thousands of networks and eventually causing hundreds of millions of dollars in damages.
A new, potentially virulent wave of data-encrypting malware is sweeping through Eastern Europe and has left a wake of outages at news agencies, train stations, and airports, according to multiple security companies Tuesday.
At the moment Bad Rabbit appears to be contained to Europe with attacks being registered in Ukraine, Germany, Russia and Turkey as well. The malicious software was inserted into prominent Russian news media websites in order to spread the malware, Forbes reports.
The new strain of ransomware, dubbed Bad Rabbit, was first spotted on October 24. In this instance, the malware is disguised as an Adobe Flash installer. Keys are generated using CryptGenRandom and then protected by hardcoded RSA 2048 public key.
One thing that we can discern so far is the hackers behind the attacks seem to be Game of Thrones fans, as at least four scheduled tasks within the ransomware are named after the popular series (Viserion, Drogon, Rhaegal and GrayWorm).
The ESET experts said that the payment website is hosted on the Tor network, and the ransom note provided instructions to make the payment while displaying a countdown of 40 hours before the price of decryption increase. Kaspersky Labs notes that it is now investigating the ransomware and will post more information as it's available.
It is understood the ransomware was distributed with the help of drive-by attacks.
Experts argue that while investigators were focused on getting to the bottom of the ransomware infection, TeleBots could be quietly siphoning off data from sensitive targets.