Skip to main content

New 'Bad Rabbit' ransomware attack spreading across Europe

A new ransomware attack is now spreading across Europe in an outbreak that carries echoes of the WannaCry and Petya attacks that hit scores of PCs earlier in 2017. Called Bad Rabbit, the malware appears to have most strongly impacted Russian and Ukrainian organizations thus far, though similar attacks have been spotted in Turkey and Germany as well.

According to Kaspersky researchers (opens in new tab), Bad Rabbit has already infected a number of Russian media outlets, including the Interfax news agency and Odessa International Airport has also reported a cyberattack, but it's not immediately clear whether the two are related. According to ZDNet, the Kyiv Metro's payment systems also appear to be impacted.

Kaspersky explains that the ransomware appears to be targeting corporate networks in a manner similar to the Petya ransomware, but it isn't clear at this point whether Bad Rabbit is related to Petya. Meanwhile, ESET researchers claim to have identified the malware as Diskcoder.D, which is a variant of Petya.

Bad Rabbit message

Image: ESET

Once infected, victims of the Bad Rabbit attack are directed to a darknet website with a note that demands 0.05 bitcoin (currently around $280) as ransom. The website also features a timer counting down to when the price will increase. It's not yet clear, Kaspersky says, whether it's possible to recover the files encrypted by Bad Rabbit. However, Kaspersky says you can protect yourself by blocking execution of files "c: \ windows \ infpub.dat" and "C: \ Windows \ cscc.dat." If you are infected, experts advise against paying the ransom.

Dan Thorp-Lancaster is the Editor in Chief for Windows Central. He began working with Windows Central as a news writer in 2014 and is obsessed with tech of all sorts. You can follow Dan on Twitter @DthorpL and Instagram @heyitsdtl. Got a hot tip? Send it to

  • Is Win10 with defender safe this time?
  • I assume so but only if you have Controlled Folder Access enabled.
  • Not Good...Hope it stays in Europe only...
  • Well I live in Europe
  • Sorry...didn't mean it that way....meant to say it would be contained there.
  • and i hope it hits your house only idiot
  • Oh, relax! He's hoping it won't spread; how can you disagree with that?!?
  • I guess people who have the infection already? Misery loves company.
  • this is why it's important to back up your system and always have layers of security, Windows 10 defender isn't going to cut it alone, it needs a team of well-founded good AVs aka avast, Bitdefender and Comodo to help it as well as Malwarebytes, also it makes me wonder some people have really bad internet habits,  and so forth.
  • Yeah, no AV is going to always protect you of you decide you want to openly install and click on any site on the internet. You have to use some kind of reasoning when you are browsing and downloading. I would say however, that for you to need THAT many programs at once, you are frequenting some very poor choices for sites and should perhaps lay off the blacklist porn for a while. =P
  • and suddenly my system will slow to a crawl ... just back things up and surf smart. The age of anit-virus is dead. Most AVs fail horrible against only slightly altered viruses. The new paradigm is damage limitation
  • Always backup to external drives and unplug after the backup is complete. Ransomware can't infect a disconnected disk. Same applies if you backup to DVDs as they can't be written to again
  • "Victims download a fake Adobe Flash installer from infected websites and manually launch the .exe file, thus infecting themselves. Our researchers have detected a number of compromised websites, all news or media sites" It's common sense to not run random installers from random websites. Stay safe, everyone.
  • What kind of corporate network allows individual users to download and run executable programs? Surely blocking that is corporate IT security 101.
  • Indeed! Baffling is hardly an adequate word...
  • I work for a big international IT company with centrally managed computers yet I can download and run any executable I wish. We are running a well known antivirus solution but I can turn it off if I wish to. I have almost full admin access. So go figure.
  • Sorry wrong post
  • Hmm. Yesterday my browser started to download some fishy Flash Player. Granted, I deleted it immediately (too fast internet to stop). Wonder if that was it. 
  • I couldn't shut off the computer tonight, so I just kill the power. I'm in Moscow.
  • Is there not a related kb fix for this
  • Vaccination found:
  • Is MacOS infected too? I'm confused with the first screenshot...
  • Windows Defender on Win10 FU detects this?