Moscow-based Group-IB finds way to stop BadRabbit ransomware

Business & Economy October 25, 2017, 7:17

Group-IB director general Ilya Sachkov earlier told TASS that his company identified the domain name which was used as a starting point for the attack

MOSCOW, October 25. /TASS/. Group-IB, a Russian-based cybercrime prevention and investigation company, said on Tuesday night it had found a way to stop the BadRabbit ransomware that had attacked computers in Russia and Ukraine earlier in the day.

According to the Group-IB channel in Telegram, in order to prevent the virus from encrypting files, a user needs to create a read-only file C:\windows\infpub.dat.

"After that, even in case of contamination, the files will not be encrypted," the company said.

Group-IB director general Ilya Sachkov earlier told TASS that his company identified the domain name which was used as a starting point for the attack.

Sergei Nikitin, a Group-IB deputy head, said the attack was already over, although sporadic cases of BadRabbit attacks were still possible.

"Even the domain used to spread BadRabbit is not responding now," he said.

On Tuesday, the BadRabbit ransomware attacked Russian mass media outlets Interfax and Fontanka.ru, as well as the Odessa Airport, the Ukrainian Ministry of Infrastructure and the Kiev subway in Ukraine. Users of infected computers receive a notice that their files are encrypted. The virus suggests making payment on a website to get access to files.

The authors of the virus are yet to be determined. Group-IB said the investigation is still ongoing, but ruled out a targeted attack.

According to Group-IB, it could be created by the author of another ransomware, NotPetya. The company’s experts established that a part of the BadRabbit was similar to that of NotPetya.

"Those viruses apparently have the same author, or the author of BadRabbit is an imitator," the company told TASS.

At the same time, BadRabbit can not be described as a modification of NotPetya, because it used different mechanisms for encryption and spreading.

Read more on the site →