Tuesday's ransomware attack may go by the name BadRabbit, but it actually shares some computer code with the NotPetya outbreak from June.
Security researchers have been noticing the similarities, which suggest that both attacks may have the same creator.
"It looks like the authors tried to improve upon previous mistakes (with NotPetya) and finish unfinished business," wrote security firm Malwarebytes in a blog post.
On Tuesday, BadRabbit mainly struck computers in Russia and hit several media outlets including Interfax, which saw its servers fail. The attack also targeted some financial institutions in the country, according to Russia's central bank.
The ransomware spread through a fake Adobe Flash Player update found on over 20 hacked websites. Once it installed, it encrypted the computer's files and demanded a $280 ransom in bitcoin to release the system.
Fortunately, new attacks have stopped. "Once the infection became more widespread and security companies started to investigate, the attackers immediately removed the malicious code they had added to the hacked websites," according to security firm Kaspersky Lab.
The company also noticed the code similarities with BadRabbit and NotPetya, and said the two attacks share another important piece of overlap: they were both delivered by some of the same hacked website domains.
It appears the attackers behind #Badrabbit have been busy setting up their infection network on hacked sites since at least July 2017. pic.twitter.com/fV5U1FeVtR — Costin Raiu (@craiu) October 24, 2017
Among them include Bahmut.com.ua, a Ukrainian media site that was hijacked to deliver NotPetya back in June, and found spreading BadRabbit on Tuesday, according to tweets from Kaspersky Lab researcher Costin Raiu.
Security firm Intezer also did an analysis of Tuesday's attack. It found that some of the computer code in BadRabbit has only been seen in malware samples from NotPetya.
That's rare to find, according to Jay Rosenberg, an Intezer security researcher. The source code to NotPetya isn't open-source, so it would have taken a great deal of time and effort for anyone to replicate it, he said.
"Programmers often reuse code because it is time and cost effective," Rosenberg added.
However, the two attacks also have important differences.
Back in June, when the NotPetya outbreak first occurred, researchers found that it infected computers and demanded a $300 ransom in bitcoin. But in reality, NotPetya's encryption process actually corrupted the files on the system, preventing any recovery.
Recommended by Our Editors
BadRabbit, on the other hand, successfully encrypts a computer's files. That means victims willing to pay the ransom should be able to get their data back -- assuming the hacker sends over the decryption key.
Another curious difference between the two attacks have been their apparent targets. NotPetya mainly struck Ukraine, but eventually spread to 64 other countries including the U.S.
BadRabbit, however, has been far smaller in scale and largely hit Russia.
Security researchers are still trying to analyze Tuesday's attack for more clues. But pinpointing the real culprit behind the BadRabbit attack probably won't be easy.