‘Servers used for BadRabbit ransomware attack are already offline’

The servers used in the distribution of the BadRabbit malware have since been taken offline, according to several security companies. The ransomware emerged on Tuesday evening and mainly affected organizations in Russia and Ukraine.

Previously, various analyzes showed that the ransomware was spread through drive-by downloads, where visitors to infected sites were presented with a fake Flash update. This happened, for example, on news websites. The servers used to deliver the malicious update went offline after a few hours, security companies told Motherboard. It is unclear who is responsible for the downing of the servers. Symantec has released statistics showing a spike in infections in the first two hours of the attacks.

Statistics on the number of infections per hour, according to Symantec

The US security company further reports that 86 percent of infection attempts took place in Russia, which is in line with previous reports. More than 80 percent of infection attempts involved systems owned by companies, not consumers. On Wednesday, security firm Malwarebytes wrote that the group behind BadRabbit may also have been responsible for NotPetya. More companies in the sector have now come to that conclusion. Researcher Bart Parys also writes that the attack may have been a smokescreen to cover up another attack.

ESET published an analysis after the NotPetya attacks in which it attributed the malware to a group it calls TeleBots. He has been eyeing targets in Ukraine for some time now. Another company, RiskIQ, has also published an analysis of BadRabbit, detailing the infrastructure used in the recent attack. It reports that it was partly online at the beginning of last year. Kaspersky researcher Costin Raiu came to the same conclusion. RiskIQ also mentions the possibility that the infrastructure was originally built for a campaign other than BadRabbit.