After reports on Wednesday that a new ransomware, called BadRabbit, was attacking computers in Eastern Europe by encrypting files and demanding a ransom in Bitcoin, it looks like the hackers have decided to shut down the attack, a new report says. The cyber-attack was feared to spread globally much like the recent Petya ransomware attack.
Researchers at security firms FireEye, ESET, Kaspersky, McAfee, and Avira who have been tracking the ransomware told Motherboard that the servers used by hackers to infect systems with a malware are now down. The malware was delivered by these servers after the victim would accidentally install a fake Flash update when visiting a compromised site.
Nick Carr, a researcher at FireEye told Motherboard via email that the security firm blocked infections until around 15:00:00 UTC (8:30pm IST) on Tuesday “when the infection attempts ceased and attacker infrastructure – both 1dnscontrol[.]com and monitored sites containing the rogue code – were taken offline.” Avira, Symantec and other security also confirmed that the server used in the attack had stopped after a few hours.
While this may sound like the ransomware has been stopped, it may not be the real picture. ESET’s Robert Lipovsky told The Wired earlier that the Flash method may just be a “smoke screen” and there may be a more “devious” trick being used to infect systems. Craig Williams, a research manager at Talos also believes that the malware is still spreading slowly, “attempting to propagate from other infected sites.”
BadRabbit has been linked to the Petya ransomware, which attacked computers globally earlier this year. ESET found that the malware used for the cyber-attack was Diskcoder.D – a variant of the Petya ransomware. Diskcoder.D extracts credentials from affected systems using the Mimikatz tool, similar to Petya. Based on the message seen by victims of BadRabbit, the attackers demanded 0.05 in Bitcoins, which translates roughly to about Rs 18,000. The attack hit corporate computers, several Russian media outlets, Ukraine’s Odessa airport and Kiev subway station.
As per the new report, it looks like the ransomware is limited and there hasn’t been any new developments as of now to suggest that the attack is still spreading. While the servers may be down for now, it is still possible for the attackers to reactivate them at any time, ESET’s M.Leveille tells Motherboard.
For more news from India Today, follow us on Twitter @IndiaTodayTech and on Facebook at facebook.com/indiatodaytech
For news and videos in Hindi, go to AajTak.in.ताज़ातरीन ख़बरों और वीडियो के लिए आजतक.इन पर आएं.