Cyber Incident Victim: Kyiv Metro
Date:
Oct 2017
Location:
Ukraine
Summary
A ransomware attack dubbed Bad Rabbit targeted Ukrainian transportation infrastructure, including the Kyiv Metro, alongside Russian media outlets and other entities, spreading through compromised websites posing as Adobe Flash updates. The malware encrypted files and demanded payment, disrupting operations at transportation hubs and media organizations. Cybersecurity researchers identified links to the earlier NotPetya attack through similar network infiltration methods and code overlaps, though Bad Rabbit did not utilize the EternalBlue exploit. Infections were reported across multiple countries, with most victims in Russia and Ukraine, alongside cases detected in Turkey, Germany, Japan, Bulgaria, the U.S., South Korea, and Poland. The attack campaign diminished after compromised websites were remediated and the attackers' server became inactive.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The Bad Rabbit ransomware attack emerged on October 24, 2017, initially targeting Russian media outlets Interfax and Fontanka before spreading to Ukrainian critical infrastructure. The malware infiltrated systems by disguising itself as a fraudulent Adobe Flash installer distributed through compromised news and media websites. Upon execution, Bad Rabbit encrypted files on infected machines, demanding a ransom payment of 0.05 bitcoin (approximately $280 at the time) to restore access. Ukrainian transportation networks suffered significant disruptions, with Kyiv Metro operations, Odessa International Airport, and the Ministry of Infrastructure of Ukraine all confirming system compromises. The ransomware propagated through corporate networks by scanning for shared folders with common names and exploiting stolen user credentials to move laterally across systems. Security researchers from Group-IB and Kaspersky Lab identified technical overlaps with June 2017's NotPetya attack, including similar network targeting methods and code structure, though Bad Rabbit notably did not utilize the EternalBlue Windows vulnerability exploited by both NotPetya and WannaCry.
The attack exhibited international reach beyond Russia and Ukraine, with ESET and Avast detecting infections in Turkey, Germany, Japan, Bulgaria, South Korea, Poland, and the United States. U.S. CERT issued a global alert after receiving multiple infection reports. While the ransom note included payment instructions, cybersecurity agencies universally advised against compliance. Researchers observed the attackers embedded Game of Thrones character references like "Grey Worm" within the ransomware code. Defensive measures included Windows Defender updates and a preventive "vaccine" discovered by Cybereason that blocked infection by creating a specific dummy file. By late October 2017, the campaign showed signs of decline as hosting servers went offline and compromised websites removed the malicious Flash update prompts. Malware researcher James Emery-Callcott noted the diminishing infection rate coincided with takedowns of the attacker-controlled infrastructure. The incident highlighted ransomware's continued evolution toward disruptive critical infrastructure targeting while employing social engineering through fake software updates.