Virus-the Trojan tried to attack Russian banks and infected the computers of a number of Ukrainian organizations and the Russian media, called BadRabbit. Specialists of the company “Group-IB”, analyzed it, pointed out that the new “extortionist” — not that other, as an improved version of the good old “Petit” that raged last spring. The cyber security experts was able to trace the domain name, who began to spread the virus. It is likely that intruders will be able to track.
“The investigation showed that the distribution of malware were conducted with resource 1dnscontrol.com. Domain name 1dnscontrol.com IP 5.61.37.209”, — stated in the message released by the “Group-IB”.
Employees of “Group-IB” explain that BadRabbit — improved and modified version of the virus “NotPetya” in the code which fixed the encryption algorithms and a number of innovations. However, the code of the new virus has pieces of code that is similar to what has been found in “NotPetya” earlier.
The CEO of the company “Group-IB” Ilya Sachkov on radio Sputnik said that the existing lead will allow you to find the attackers, but does not exclude that such attacks might be repeated in the future. The fact that the tools for creation of similar viruses is available, this means that to engage in its improvement and implementation is possible for almost anyone.
Got on computer, virus ransomware encrypts all stored on the hard disk of the data blocks user access to PC and begins to extort the reward for unlocking at the rate of 0.05 bitcoin (around $ 300 at current exchange rates).
“There is a high probability to understand where you are coming from the physical hands and feet of this attack. You can determine who made the attack. The domain name was registered back in 2016, someone pays, it involves a few other malicious domains. The people who created them, operated since 2011. That is, in our opinion, quite clear criminal group. Not the fact that it is connected with this attack, but she was engaged in, including spam and phishing. Unlike the previous attacks, we already have a footprint and logic that will allow law enforcement agencies to conduct search operations and detain those who did it”, — quotes RIA “news” Ilya Sachkov.
Among the first victims of the new virus-cryptographer Kiev metro, Odessa airport and a number of Russian media, including Interfax and “Fontanka”.
Yesterday’s virus-extortionist was supplemented and amended NotPetya
Vyacheslav Larionov