View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
October 25, 2017

Bad Rabbit ransomware wreaks havoc in Russia and Ukraine

Bad Rabbit has been likened to WannaCry and NotPetya, but this variant requires the victim to download a maliciously loaded Adobe Flash installer file.

By Tom Ball

Russia and the Ukraine have experienced attacks from a new strain of malware called Bad Rabbit, hitting major infrastructure targets including a Ukrainian airport.

The Ukraine also experienced an attack on a Kiev underground railway, with the attack proving comparable to the notorious NotPetya and WannaCry attacks that rocked the world earlier this year.

Also found to be active in Poland and South Korea, the attack has been able to debilitate servers by encrypting them. Despite this, the US computer emergency readiness team said: “discourages individuals and organisations from paying the ransom, as this does not guarantee that access will be restored,” as reported by the BBC.

Kaspersky has been tracking the new malware variant, in a blog post the company said: “What is known at the moment is that Bad Rabbit ransomware has infected several big Russian media outlets, with Interfax news agency and among the confirmed victims of the malware. Odessa International Airport has reported on a cyberattack on its information system, though whether it’s the same attack is not yet clear.”

A degree of human error is required for the attack to be successful, as it gains entry when a loaded Adobe Flash installer file is downloaded by the victim.

Jakub Kroustek, Malware Analyst at Avast, said: “We’re classifying Bad Rabbit as malware, with code resembling NotPetya. We’ve detected Bad Rabbit in Russia, Ukraine, Poland, and South Korea so far. At the moment, Russia and Ukraine appear to be the most heavily impacted countries. The total prevalence of known samples is quite low compared to the other “common” strains. We are continuing to monitor the situation and will share updates as available. ”

Following the impact of yet another powerful malware variant, 2017 is proving to be a year of grievous cyber-attacks, the likes of which have not yet been experienced at such a sustained rate, bearing similarities to one another.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester
– Sophos unmasks the unknown with new next gen firewall


– Bitcoin Gold mining to commence following imminent hard fork


– Samsung fights fraud with behavioural biometrics


Andrew Clarke, EMEA Director at One Identity, said: “Keys are generated using CryptGenRandom and then protected by hardcoded RSA 2048 public key.  A powerful upgrade now being unleashed with organisations in Russia, Ukraine, Bulgaria and Turkey at the top of the hit list.   This time a fake “flash” update appears to be implicated but it seems that as the organisations were hit around the same time that the attackers likely had a foot in their network already.”

Explaining how the Bad Rabbit malware takes hold, Clarke goes on to explain how organisations could potentially protect themselves from the full force of the new attack.

“Once hit; their data gets encrypted and for a bitcoin fee of 0.05 — approximately $280 –  the affected company has the chance to acquire the decryption keys but only before a count-down of 41 hours expires!  Despite industry warnings issued after the Petya, and not-Petya outbreaks earlier this year, this variant which spreads laterally using SMB shares – could be blocked by denying this communication channel [ports 137, 138, 139 and 445] on their firewalls,” said

Topics in this article : ,
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.