Russia's Interfax news agency reported on Twitter that a hacker attack has taken out its servers and forced it to rely on its Facebook account for the time being. Russian forensics firm Group IB said Bad Rabbit has infected two other Russian media outlets besides Interfax. In nearby Ukraine, computer systems for the Kiev Metro, Odessa airport, and Ukrainian ministries of infrastructure and finance have also been affected, according to a blog post published Tuesday morning by antivirus provider Eset. Meanwhile, the Ukrainian computer emergency agency CERT-UA also posted an advisory on Tuesday morning reporting a series of cyberattacks, without specifically naming the malware used in those attacks.
Preliminary analysis indicates the malware is professionally developed and incorporates a variety of advanced measures designed to allow it to rapidly infect large government and corporate networks. Security researcher Kevin Beaumont said on Twitter that Bad Rabbit uses a legitimate, digitally signed program called DiskCryptor to lock targets' hard drives. He went on to say that it relies on hard-coded credentials that are commonly used in enterprise networks for file sharing and takes aim at a particularly vulnerable portion of infected computers' hard drives known as the master boot record. Eset said the malware also uses the Mimikatz network administrative tool to extract credentials from the affected systems.
In at least some of the cases, Bad Rabbit uses fake Adobe Flash updates to trick targets into compromising their computers. Beaumont also noticed that Bad Rabbit makes references to the popular fantasy drama series Game of Thrones, naming two scheduled tasks after dragons Drogon and Rhaegal and throwing in a reference to the character GrayWorm.