On Tuesday, reports surfaced that a new kind of malware was spreading around Europe. The apparent ransomware which researchers are calling Bad Rabbit bubbled up in Russia and Ukraine and appears to also be affecting Turkey and Germany, though spread isn’t fully known at this time.
Initial targets include Ukraine’s Ministry of Infrastructure and Kiev’s public transportation system. The Russian news service Interfax also issued an official update stating that it had been hacked and that it was working to restore its systems. Kaspersky reports that Russian news group Fontanka.ru was also affected and focuses on the trend of targeted media outlets in its initial analysis. So far, Kaspersky and ESET have both noticed ties to the malware known as NotPetya or ExPetr.
“Our researchers have detected a number of compromised websites, all news or media sites,” the Russian security company, now embroiled in controversy, writes on its blog. “Based on our investigation, this is a targeted attack against corporate networks, using methods similar to those used in the ExPetr attack. However, we cannot confirm it is related to ExPetr.”
Unlike other recent malware epidemics which spread through more passive means, Bad Rabbit requires a potential victim to download and execute a bogus Adobe Flash installer file, thereby infecting themselves. Security researchers have come up with an early “vaccine” against the malware, which should inoculate systems from becoming infected.
Vaccination for the Ukraine round 2? Wanna stop #badrabbit?
Create a file called c:windowsinfpub.dat and remove all write permissions for it. This should keep the malware from encrypting. Testing it now… pic.twitter.com/3MSSH8WKPb— Amit Serper (@0xAmit) October 24, 2017
Disrupt 2026: The tech ecosystem, all in one room
Your next round. Your next hire. Your next breakout opportunity. Find it at TechCrunch Disrupt 2026, where 10,000+ founders, investors, and tech leaders gather for three days of 250+ tactical sessions, powerful introductions, and market-defining innovation. Register now to save up to $400.
Save up to $300 or 30% to TechCrunch Founder Summit
1,000+ founders and investors come together at TechCrunch Founder Summit 2026 for a full day focused on growth, execution, and real-world scaling. Learn from founders and investors who have shaped the industry. Connect with peers navigating similar growth stages. Walk away with tactics you can apply immediately
Offer ends March 13.
Whoever created Bad Rabbit appears to be a Game of Thrones fan, as the malware makes reference to Daenerys Targaryen’s dragons and Grey Worm, a beloved character who is definitely not the skin disease known as greyscale.
https://twitter.com/GossiTheDog/status/922859996609736710
Computers infected with the malware direct the user to a .onion Tor domain where they are asked to pay .05 Bitcoin or roughly $276 USD in exchange for their data. A countdown on the site shows the amount of time before the ransom price goes up. While this year has seen some instances of destructive malware disguised as ransomware, it’s not yet totally clear if Bad Rabbit actually collects a ransom and decrypts the goods in all cases, though one researcher had some luck in testing.
Unlike #ExPetr, #BadRabbit is not a wiper. pic.twitter.com/JeBnD8q9DV
— Anton Ivanov (@antonivanovm) October 24, 2017
As always, anyone infected is discouraged from paying the ransom. For one, there’s no guarantee you’ll get the data back but importantly, refusing to pay the ransom discourages future ransomware attacks.
Bad Rabbit joins NotPetya and WannaCry, 2017’s two other major ransomware-style malware outbreaks.
