Cyber Incident Victim: Fontanka
Date:
Oct 2017
Location:
Russia
Summary
A ransomware attack dubbed Bad Rabbit targeted Russian media outlets including Fontanka and Ukrainian transportation infrastructure, spreading via compromised websites posing as Adobe Flash updates to encrypt files and demand payment. The malware primarily affected organizations in Russia and Ukraine, with additional infections detected in Turkey, Germany, Japan, Bulgaria, the U.S., South Korea, and Poland. Cybersecurity researchers identified technical similarities to the earlier NotPetya attack, though Bad Rabbit did not utilize the EternalBlue exploit, instead propagating through network credential theft and shared folder scanning. The attack code contained references to "Game of Thrones" characters, and the campaign diminished as attacker servers went offline while compromised websites addressed the infection vectors.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On October 24, 2017, the Bad Rabbit ransomware attack disrupted operations across multiple countries, primarily targeting Russian media organizations and Ukrainian critical infrastructure. The ransomware propagated through compromised news and media websites by disguising itself as a fraudulent Adobe Flash installer update. Upon execution, it encrypted files on infected systems and demanded a ransom payment in Bitcoin, though cybersecurity authorities and experts universally advised against compliance due to uncertain recovery outcomes. Russian media outlets Interfax and Fontanka experienced server outages attributed to the attack, with Interfax confirming a cyberattack caused its disruption. Ukrainian entities impacted included Odessa International Airport, the Kyiv Metro, and the Ministry of Infrastructure. While the majority of infections occurred in Russia and Ukraine, additional cases were detected in Turkey, Germany, Japan, Bulgaria, the United States, South Korea, and Poland. The U.S. Computer Emergency Readiness Team (CERT) issued an alert confirming global infections but noted the attack’s scale was smaller than the NotPetya ransomware incident earlier that year, which had caused hundreds of millions in damages.
Technical analysis by cybersecurity firms revealed operational links between Bad Rabbit and NotPetya. Group-IB and Kaspersky Lab identified code similarities and noted both attacks exploited corporate networks through comparable intrusion methods, though Bad Rabbit did not utilize the EternalBlue Windows vulnerability leveraged by NotPetya and WannaCry. Kaspersky’s Global Research Team confirmed the attack originated from an "elaborate network of hacked websites" distributing the malicious installer. Once active on a system, Bad Rabbit scanned networks for shared folders, attempted credential theft, and spread laterally. ESET and Avast tracked the ransomware’s geographic spread, while Cybereason developed a preventive "vaccine" to block infections. The attackers embedded references to "Game of Thrones" characters within the ransomware code. By late October, researchers observed the campaign declining as command servers went offline and compromised websites removed the malicious scripts. Malware analyst James Emery-Callcott noted the diminishing activity, emphasizing the prevalence of fake Flash updates as a malware distribution tactic. Detection capabilities for Bad Rabbit were available in multiple antivirus products, including Microsoft’s Windows Defender.