Cyber Incident Victim: Ministry of Infrastructure of Ukraine
Date:
Oct 2017
Location:
Ukraine
Summary
A ransomware attack dubbed Bad Rabbit targeted Ukrainian transportation systems, including the Ministry of Infrastructure, Odessa's airport, and Kiev's subway, alongside Russian media companies. The malware propagated through compromised websites by disguising itself as an Adobe Flash update, seizing files and demanding payment. Cybersecurity researchers identified similarities to the earlier NotPetya attack in its network infiltration methods, though it did not exploit the EternalBlue vulnerability. Infections spread internationally, affecting systems in Turkey, Germany, Japan, and the United States. The campaign diminished as attacker servers were disabled and compromised sites remediated the malicious scripts.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On October 24, 2017, a ransomware campaign dubbed "Bad Rabbit" infected computer systems across multiple countries, with initial impacts concentrated in Russia and Ukraine. The attack propagated through compromised news and media websites that displayed fake Adobe Flash installer updates, tricking users into downloading malicious executables. Upon infection, the ransomware encrypted files and demanded payment in cryptocurrency for decryption, with cybersecurity firms and government agencies advising victims against paying due to uncertain recovery outcomes. Primary targets included Russian media outlets Interfax and Fontanka, alongside Ukrainian critical infrastructure entities: Odessa International Airport, the Kyiv Metro system, and the Ministry of Infrastructure of Ukraine. Interfax confirmed server disruptions from the attack, while Ukrainian transportation services experienced operational disruptions. The U.S. Computer Emergency Readiness Team (US-CERT) issued alerts regarding global infections, with additional cases detected in Turkey, Germany, Japan, Bulgaria, South Korea, Poland, and the United States. Bad Rabbit employed network scanning techniques to identify shared folders with common names and exploited stolen user credentials to spread laterally within corporate environments. Researchers noted the ransomware avoided using EternalBlue—the Windows vulnerability exploited in prior WannaCry and NotPetya attacks—relying instead on credential-based propagation.
Cybersecurity firms Kaspersky Lab and Group-IB identified technical and methodological links between Bad Rabbit and the NotPetya ransomware that devastated Ukrainian systems in June 2017. Both attacks targeted corporate networks through compromised websites and shared code similarities, though Bad Rabbit’s impact was less extensive, affecting fewer victims than NotPetya’s global outbreak. The ransomware contained references to "Game of Thrones" characters, suggesting the attackers’ cultural interests, but no attribution to specific threat actors was confirmed. Multiple antivirus solutions, including Windows Defender, detected and blocked the malware, while Cybereason researchers developed a "vaccine" to immunize systems against infection. By late October 2017, the campaign diminished as attackers’ command-and-control servers went offline and compromised websites removed the malicious Flash update prompts. ESET and Avast telemetry confirmed declining infection rates, though the incident underscored persistent risks of drive-by downloads from spoofed software updates. The Ministry of Infrastructure of Ukraine’s involvement marked another instance of Ukrainian governmental entities being targeted in ransomware campaigns within a five-month period following NotPetya.