Cyber Incident Victim: Odesa International Airport
Date:
Oct 2017
Location:
Ukraine
Summary
A ransomware attack dubbed Bad Rabbit targeted Ukrainian transportation systems, including Odesa International Airport, alongside Kiev's subway and the Ministry of Infrastructure, disrupting operations. The malware spread through compromised news and media websites by disguising itself as a fraudulent Adobe Flash installer, seizing files and demanding payment for decryption. Cybersecurity firms identified similarities in code and attack methods to the earlier NotPetya incident, noting exploitation of shared network folders and credential theft for lateral movement. While primarily affecting Russian and Ukrainian entities, the ransomware also infected systems in Turkey, Germany, Japan, and the U.S. Researchers observed the attackers' infrastructure becoming inactive shortly after the outbreak, though the incident highlighted ongoing risks of fake software update campaigns.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The Bad Rabbit ransomware attack emerged on October 24, 2017, initially targeting Russian media outlets and Ukrainian critical infrastructure before spreading internationally. The malware disguised itself as a fraudulent Adobe Flash update distributed through compromised news and media websites. Upon infection, it encrypted files on victims' computers and demanded payment for decryption, with cybersecurity authorities advising against compliance due to uncertain recovery outcomes. Early confirmed targets included Russian media organizations Interfax and Fontanka, alongside Ukrainian transportation systems—specifically Odesa International Airport, Kyiv's subway network, and the Ministry of Infrastructure of Ukraine. Interfax publicly acknowledged server disruptions caused by the attack. The U.S. Computer Emergency Readiness Team issued a global alert after receiving multiple infection reports, while cybersecurity firms documented cases across Turkey, Germany, Japan, Bulgaria, South Korea, Poland, and the United States. Initial assessments indicated a smaller impact scale compared to June 2017's NotPetya ransomware outbreak, which had caused hundreds of millions in damages across Ukraine and multinational corporations.
Technical analysis revealed operational links between Bad Rabbit and NotPetya, with Kaspersky Lab researchers identifying shared infection methodologies targeting corporate networks and an "elaborate network of hacked websites" for distribution. Group-IB confirmed code-level similarities between the two ransomware strains. Unlike NotPetya and WannaCry, Bad Rabbit did not exploit the EternalBlue Windows vulnerability but instead propagated through malicious Flash update prompts and subsequent network credential theft. The ransomware scanned infected machines for shared network folders and attempted lateral movement using stolen credentials. Cybersecurity vendors including ESET and Avast tracked the malware's geographic spread, while Windows Defender and other antivirus tools incorporated detection signatures. Cybereason researchers developed a preventive "vaccine" to block infections. The attack contained references to "Game of Thrones" characters within its code, though attribution remained unconfirmed. By late October 2017, security researchers observed the campaign's decline as attacker servers went offline and compromised websites removed the malicious scripts. Infrastructure restoration efforts proceeded at affected entities including Odesa Airport, though specific recovery timelines were not disclosed in public reports.