BadRabbit: new ransomware attack

Different institutions in five countries are attack by a new ransomware, that demands Bitcoin
25 October 2017   1388

A number of institutions of Ukraine, Russian, Bulgaria, Turkey and Japan was attacked by a new version of the cryptographic virus, called Bad Rabbit. 

Apparently, we are facing a new epidemic. The victim of the cryptographic virus became not only the Russian media, but also a number of state institutions and strategic facilities in Ukraine.
 

Group-IB statement

Among the victims of the virus were Russian news agencies Interfax and Fontanka, the Ministry of Infrastructure of Ukraine, the State Aviation Service of Ukraine, the computer system of the Kiev Metro, and the information system of the international airport Odessa. Most likely, the list will be added in the near future.

Hackers ask their victims to follow the link leading to the onion-site, it starts an automatic time counter.

Hacked computer
Hacked computer

Further it demands 0.05 BTC, promising otherwise to destroy all the encrypted information.

Ransom demand
Ransom demand

According to experts of the Group-IB, it is the virus-encryptor, as the victims complain about "blocked screens of computers."

Specialist of the Czech security company ESET Jiří Kropak said that the virus spreads through a fake update file for Adobe Flash. As proof, he posted in his Twitter screenshot from the Russian news site, which offers download such a file. 

Group-IB released 5 facts about the Bad Rabbit.

  1. The analysis of the code established a connection between Bad Rabbit and the cryptographer Not Petya, in June 2017, attacked energy, telecommunications and financial companies in Ukraine.
  2. In Russia there was an attempt to attack banks from the top 20, but they were unsuccessful. Our TDS Polygon system notified users of attempts at infection.
  3. Specialists of Group-IB found that the malicious program was distributed with the help of web traffic from hacked Internet resources, among which were Ukrainian and Russian sites: fontanka.ru, argumenti.ru, argumentiru.com.
  4. Download of malicious software originated from the resource 1dnscontrol.com. Several other resources are associated with it, which can be used to conduct similar attacks, SPAM mailing, phishing.
  5. Kill Switch found: you must create the file C: \ windows \ infpub.dat and set it to read only mode. After that, even if infected, the files will not be encrypted.
     

Group-IB statement

BTC Extortionists to Send Explosion Threats In US & CA

Police reported that explosive devices in the places specified by extortionists were not found
14 December 2018   90

In Canada and the United States, local businesses and residents received letters threatening to detonate a bomb if they did not send bitcoins to extortionists. Because of this, in some regions, law enforcement officers evacuated people from bus stations, schools and airports, reports Global News.

Extortionists threatened to blow up universities, schools, city halls and local businesses in the US states of Utah, Aidaxo, New York, Oklahoma and Illinois. The New York City Police Department urged residents not to panic or send bitcoins to criminals. Police also reported that explosive devices in the places specified by extortionists were not found.

In Canada, extortionists promised to blow up buildings and car dealerships in Toronto, Edmonton, Ottawa, Calgary and Montreal. Some residents of the attackers asked for a ransom in bitcoins in the amount of $ 20 thousand. After verification, the Calgary police stated that the messages were part of phishing attacks and did not pose a threat to the public.