Cyber Incident Victim: Interfax
Date:
Oct 2017
Location:
Russia
Summary
The Bad Rabbit ransomware attack spread globally via compromised websites posing as Adobe Flash updates, primarily targeting Russian media entities including Interfax and Ukrainian transportation systems such as Odessa's airport and Kiev's subway. The malware encrypted files and demanded payment, with infections reported in multiple countries including Russia, Ukraine, Turkey, Germany, Japan, Bulgaria, the U.S., South Korea, and Poland. Cybersecurity firms identified similarities in code and network exploitation methods to the earlier NotPetya attack, though Bad Rabbit did not utilize the EternalBlue exploit. The ransomware contained references to "Game of Thrones" characters and gradually subsided as attacker servers were disabled and compromised websites remediated the malicious scripts.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On October 24, 2017, the Bad Rabbit ransomware attack targeted organizations primarily in Russia and Ukraine before spreading to additional countries including the United States, Germany, Turkey, Japan, Bulgaria, South Korea, and Poland. The ransomware masqueraded as a fake Adobe Flash installer distributed through compromised news and media websites. Upon infection, it encrypted files on victims’ systems and demanded payment in Bitcoin for decryption, though cybersecurity authorities advised against paying due to uncertain recovery outcomes. Russian news agency Interfax confirmed its servers were disrupted by the attack, alongside Russian media outlet Fontanka and multiple Ukrainian critical infrastructure entities including Odessa International Airport, the Kyiv Metro, and Ukraine’s Ministry of Infrastructure. The U.S. Computer Emergency Readiness Team (US-CERT) issued alerts regarding global infections. Initial analysis by cybersecurity firms ESET and Avast indicated the ransomware propagated by scanning networks for shared folders and exploiting stolen user credentials to spread laterally within corporate environments, though it did not utilize the EternalBlue Windows exploit leveraged in prior WannaCry and NotPetya incidents.
Cybersecurity researchers from Kaspersky Lab and Group-IB identified technical and operational overlaps between Bad Rabbit and the earlier NotPetya attack, including similarities in code structure and the targeting of corporate networks through compromised websites. The attack’s infrastructure relied on an elaborate network of hacked domains to host the malicious payload. While the scale of disruption was smaller than NotPetya’s June 2017 outbreak—which caused hundreds of millions in damages—Bad Rabbit demonstrated continued evolution in ransomware tactics. Antivirus providers including Microsoft’s Windows Defender updated detection capabilities, and Cybereason developed a preventive “vaccine” to block infections. By late October 2017, researchers observed the attacker’s command-and-control servers going offline, and most compromised websites had remediated the malicious scripts. The campaign’s decline coincided with reduced infection rates, though it underscored persistent threats from fake software update lures. Code analysis revealed references to “Game of Thrones” characters, though no attribution to specific threat actors was confirmed.