Malware called BadRabbit is bouncing between networks in Russia, Ukraine, Turkey, and Bulgaria, demanding Bitcoin payment in exchange for decryption of files.
Reuters reports that Odessa airport (pictured above) and the metro system in Kiev, both in Ukraine, have been hit by the malware. Russian cybersecurity firm Group-IB says that at least three of the nation’s media organizations have been hit. Security researchers at ESET claim to have spotted instances of the attack in Bulgaria and Turkey. More attacks will no doubt be mentioned on Twitter as they're discovered.
In each case, users are presented with a black-and-red screen of text demanding a payment of 0.05 bitcoin (about $280, for now) in order for their files to be decrypted. A timer claims that the ransom will increase after 40 hours.
The BadRabbit ransomware appears to spread via a fake Adobe Flash Player installer, according to researchers at security firm Proofpoint, seemingly using a Windows flaw known as EternalBlue that was identified by and leaked from the NSA and has now been used in several malware attacks. Once on a computer, says a staff member of the security firm McAfee, BadRabbit can encrypt a bunch of common file types, including Microsoft Office documents and image files.
Sound familiar? Well, the attack carries many echoes of recent ransomware schemes, such as NotPetya and WannaCry. So far, though, opinion is divided over whether BadRabbit is connected to previous attacks: ESET says it may be a variant of not NotPetya, while Kaspersky says it can’t say with certainty.
One thing is for sure: like other recent malware attacks, it’s causing chaos for those who are hit. We’ll have to wait and see just how big the attack becomes.