Reports appeared on Tuesday that a new ransomware outbreak was hitting organisations in Russia and Ukraine. Victims included the Russian newswire Interfax, Ukraine’s Odessa airport, and the Kiev subway system.

Media outlets like Fontanka.ru found their website’s disrupted by the attack, and urged readers to follow them on social media for updates while systems were restored.

The ransomware, which was dubbed “BadRabbit”, showed a number of similarities to the hard-hitting NotPetya attack which successfully attacked organisations in Russia, Ukraine and elsewhere earlier in the year.

NotPetya is thought to have initially been spread via a malware-infected update to accounting software widely used in Ukraine. NotPetya hit hard, costing some companies hundreds of millions of dollars worth of damage.

Researchers at Group-IB, however, identified that BadRabbit had been distributed in a different fashion – using a number of compromised news websites as a means of infecting computers. Compromised sites included:

  • fontanka.ru
  • argumentiru.com
  • grupovo.bg
  • sinematurk.com
  • aica.co.jp
  • spbvoditel.ru
  • argumenti.ru
  • mediaport.ua
  • an-crimea.ru
  • www.t.ks.ua
  • most-dnepr.info
  • osvitaportal.com.ua
  • otbrana.com
  • pensionhotel.cz
  • online812.ru
  • imer.ro
  • novayagazeta.sbp.ru
  • i24.com.ua
  • ankerch.crimea.ru

Visitors to the compromised sites found themselves greeted by a pop-up urging them to install a Adobe Flash update onto their Windows PCs.

Of course, the downloaded file did not originate from Adobe, and was a disguise for the ransomware.

The use of phoney security updates to infect innocent users’ computers with malware is nothing new, of course. Once again this is evidence that an attack does not have to be highly sophisticated to succeed. In addition, the ransomware contains an SMB component that allows the attack to spread laterally through an organisation, exploiting poorly-chosen passwords to find other computers to infect.

Once a PC (Read more...)