NotPetya hackers likely behind BadRabbit

Hackers responsible for a crippling cyber attack on businesses in Ukraine and around the world in June were probably behind a smaller-scale attack on Russia and other countries this week, a new report suggests.

Attacks using malware called BadRabbit hit Russia and other nations on Tuesday, taking down Russia's Interfax news agency and causing flight delays at Ukraine's Odessa airport.

BadRabbit came on the heels of attacks in May and June that used similar malware and resulted in what some economists estimated are billions of dollars in losses.

"It is highly likely that the same group of hackers was behind (the) BadRabbit ransomware attack on October 25, 2017 and the epidemic of the NotPetya virus, which attacked the energy, telecommunications and financial sectors in Ukraine in June 2017," Russia-based cyber security firm Group-IB said on Thursday.

"Research revealed that the BadRabbit code was compiled from NotPetya sources."

Investigators caution that attributing cyber attacks is a slippery business and it remains possible that copycats are using the older group's tools.

Ukrainian officials have said the NotPetya attack directly targeted Ukraine and was linked to a group of suspected Russian hackers known as BlackEnergy who have carried out a sustained campaign against Ukraine's energy industry since at least December 2015.

Most of BadRabbit's victims were in Russia, followed by Ukraine, Bulgaria, Turkey and Japan, according to cyber firm ESET.

Group-IB also said BadRabbit operated as genuine ransomware, encrypting files and charging its victims a fee to have them released. That is in contrast to NotPetya, which also made ransom demands but made infected files impossible to recover.

Using a proper ransomware virus may have been part of an attempt by the BadRabbit culprits to disguise themselves as cyber criminals, Group-IB said, providing a "smokescreen" for a possible state-sponsored attack.