The ransomware appears to be a variant of the Petya ransomware
The malware dubbed Bad Rabbit has so far affected three Russian websites, according to cyber threat intelligence firm Group-IB.
While Reuters reported that an underground railway in the Ukraine capital Kiev and an airport in the nation have also been affected by the Bad Rabbit ransomware.
Infected machines display a red-on-black message that requests victims login to a website hidden on the Tor network and make a payment of 0.05 Bitcoins, which is currently around £214. Victims have to pay up within around 40 hours if they want to have their files decrypted or the price goes up.
At the time of writing, there is no indication of who is behind the attacks and the number of organisations and people affected by it.
Cyber security firm ESET noted that the malware that affected the Kiev station is a variant of the infamous Petya ransomware, which NotPetya – also known as ExPetya – was also derived from.
ESET’s research and that of cyber security firm Kaspersky also uncovered that the malware has been spread through a fake Adobe Flash Player Installer hidden on booby-trapped legitimate websites.
The problems with Bad Rabbit is that is was not detected by a lost of anti-virus and security software as malicious.
And according to Christiaan Beek, lead scientist at McAfee, noted Bad Rabbit encrypts a variety of common files, such as .doc and .jpg files.
— Christiaan Beek (@ChristiaanBeek) October 24, 2017
So far the Bad Rabbit campaign does not appear to be as widespread as the WannaCry and NotPetya campaigns.
“According to our data, most of the victims targeted by these attacks are located in Russia. We have also seen similar but fewer attacks in Ukraine, Turkey and Germany,” said Vyacheslav Zakorzhevsky, head of the anti-malware research team at Kaspersky Lab.
“This ransomware infects devices through a number of hacked Russian media websites. Based on our investigation, this has been a targeted attack against corporate networks, using methods similar to those used during the ExPetr attack. However we cannot confirm it is related to ExPetr. We continue our investigation.”
With this in mind it would appear there is more research needed before the extend of the Bad Rabbit spread, its source and its targets can be identified with some certainty.