Just four months ago, a massive ransomware attack known as NotPetya ripped through Ukraine, Russia, and some multinational companies, infecting thousands of networks and eventually causing hundreds of millions of dollars in damages. Now, an apparent aftershock of that attack is reverberating through the region, as a new variant of that code locks up hundreds of machines and handicaps infrastructure.

On Tuesday, the security community began tracking a new outbreak of ransomware tied to NotPetya's authors. Known as BadRabbit, the the strain has infected hundreds of computers—mostly in Russia, but with some victims in Ukraine, Turkey, Bulgaria, and Germany—according to security firms including ESET and Kaspersky. For now, the outbreak remains only a small fraction of the size of the NotPetya epidemic. But it has nonetheless hit several Russian media outlets, including the newswire Interfax, according to the Russian security firm Group-IB, and also infected Ukraine's Odessa airport and Kiev subway system, partially paralyzing their IT systems and disabling the subway system's credit card payments, according to one Ukrainian government official.

"The dangerous aspect is the fact that it was able to infect many institutions which constitute critical infrastructure in such a short timeframe," says Robert Lipovsky, a malware researcher at ESET, "which indicates a well-coordinated attack."

Kaspersky also found strong evidence tying the new attack to the creators of NotPetya. After the June NotPetya outbreak, the company's analysts found that one Ukrainian news site, Bahmut.com.ua, had been hacked to deliver the malware, along with dozens of other sites that were similarly corrupted—but hadn't yet been activated to start infecting victims. Now Kaspersky has found that 30 of those hacked sites began to distribute the BadRabbit malware on Tuesday.

"This indicates that the actors behind ExPetr/NotPetya have been carefully planning the BadRabbit attack since July," writes Costin Raiu, the director of Kaspersky's global research and analysis team, in a note to WIRED.

ESET

While Kaspersky counts just under 200 victims among its users so far, roughly 50 or 60 Ukrainian computers in the Ukrainian government alone have been infected with the ransomware, according to Roman Boyarchuk, head of the Center for Cyber Protection within Ukraine's State Service for Special Communications and Information Protection. Possibly more devices are affected in Ukrainian private-sector networks. Given that ESET estimates that only 12.2 percent of victims are in Ukraine and 65 percent are in Russia, those numbers suggests several hundred infections in Russia.