Bad Rabbit: Game of Thrones-Referencing Ransomware Bites Europe

A major ransomware attack is hitting computers in Russia and Ukraine, bearing similarities to the NotPetya outbreak that caused billions [of dollars] of damage in June.

The self-titled "Bad Rabbit" malware encrypts data on infected machines before demanding a payment of 0.05 bitcoin [about $330] for the decryption key. The ransom demand is phrased similarly to that of June's outbreak, and researchers at Russian security firm Kaspersky say that the malware uses "methods similar to those used" during the NotPetya attack.

Among the affected organizations are Kiev's metro system, Russian media organization Interfax and Odessa airport. Interfax was forced to publish to its Facebook page during the outage, since its servers were taken offline for a number of hours.

Unusually, the malware's code is peppered with pop culture references including the names of two dragons from Game of Thrones and the character Gray Worm used as names for scheduled tasks. A list of passwords that the malware tries while attempting to spread also includes "love," "sex," "god" and "secret," which were dubbed the "four most common passwords" by the 1995 movie Hackers. In fact, the four most common passwords are 123456, 123456789, qwerty, and 12345678.

"Our observations suggest that this been a targeted attack against corporate networks," Kaspersky's researchers said, again suggesting a link between this outbreak and June's. The NotPetya outbreak began through the release of a compromised version of a popular Ukrainian accounting program, spreading automatically throughout corporate networks.

The strongest link between the two attacks is based on the web servers which were used to distribute the initial software. Kaspersky researcher Costin Raiu told Forbes magazine that a network of hacked sites initially linked to NotPetya in July was now being used to host secondary distribution channels for Bad Rabbit.

But the two attacks contain a number of notable differences, as well. Where...

Comments are closed.