Severity scale:  
  (99/100)

Bad Rabbit ransomware virus. How to remove? (Uninstall guide)

removal by Olivia Morelli - -   Also known as DiskCoder.D | Type: Ransomware
12

Latest news from Bad Rabbit ransomware investigation: malware reached America; some files can be decrypted without paying the ransom

The screenshot of BadRabbit payment site

Bad Rabbit ransomware is a file-encrypting virus that emerged on the 24th of October 2017. The virus attacked over 200 major organizations. However the majority of them were in Russia and Ukraine. Other easter Europe countries, South Korea, Japan suffered from the ransomware as well. According to the latest research data, malware hit some American users as well.

Criminals behind the malware compromised many legitimate websites to deliver fake Adobe Flash Player updates (install_flash_player.exe) that need to be executed manually to activate the crypto-malware.

The virus uses AES-256-CBC and RSA-2048 ciphers to lock the files, adds .encrypted extension to their original filenames, creates a Readme.txt file which it places on the Desktop. Finally, Bad Rabbit replaces Master Boot Record (MBR) and restarts the computer.

Consequently, the victim loses access to the computer as it fails to boot and displays a threatening message on a black screen. The ransomware says “Oops! Your files have been encrypted!” and explains that the only possible data restoration method is paying a ransom to virus' authors.

The message provides a link to a .onion website (accessible via Tor browser only) and leaves “personal installation key” on the screen. The payment website presented by the virus states that the victim has to pay 0.05 bitcoin for data recovery (approximately $280).

Recent analysis of the virus tells that paying the ransom is not the only way to restore files after the ransomware attack. The virus does not delete Shadow Volume Copies. Thus, third-party software might help to rescue at least some of the encrypted files. However, before trying alternative recovery methods, users are suggested to remove Bad Rabbit malware from the device using Reimage or another malware removal software.

UPDATE. Researchers have already discovered a vaccine from Bad Rabbit, which prevents the ransomware from corrupting files even if the victim manages to execute the malicious file. Further details on how to create your own “vaccine” are provided on Esolutions blog.

Files encrypted by Bad Rabbit ransomware might be decrypted without paying the ransom

Kaspersky Labs reported[1] that there might be a chance to restore files after Bad Rabbit attack without paying the ransom. The researchers found two mistakes in the ransomware’s code. The most significant discovery is that malware does not delete Shadow Volume Copies after data encryption.

Therefore, victims of the ransomware might use third-party software to restore encrypted files. Keep in mind that these tools might not be capable of decrypting all your files. However, some of them will be definitely rescued. Though, before trying various recovery programs, remove Bad Rabbit ransomware from the device.

Researchers have also found another flaw in ransomware’s code that is related to the decryption passwords. It seems that malware does not delete the generated password from the memory until a victim reboots the computer. Researchers discovered that it might be possible to extract decryption password from the dispci.exe file if the system was not rebooted after ransomware attack.

Bad Rabbit is an upgraded version of the Petya/NotPetya virus

Bad Rabbit ransomware is believed to be a variant of NotPetya ransomware (also found as Petya/ExPetr/Petna) as it shares many technical similarities with the infamous crypto-virus. Ability to modify Master Boot Record, usage of AES and RSA encryption ciphers and similar hashing algorithm used are just a few details that connect both ransomware variants. However, there are some differences between them.

Please study the provided fact sheet to learn more about Bad Rabbit malware and how it differs from NotPetya virus.

  • Bad Rabbit, unlike NotPetya ransomware, is not a wiper and functions as a well-configured and fully operational file-encoding virus.
  • The virus does not exploit EternalBlue vulnerability (CVE-2017-0144[2]) to infect target systems. Previously mentioned ExPetr malware (as well as WannaCry) took advantage of the said security flaw in Windows servers.
  • The ransomware exploits EternalRomance exploit kit.
  • Bad Rabbit is still capable of proliferating via SMB. The malware scans for open shares and runs Mimikatz[3] software to collect Windows credentials. The virus then uses a list of hard-coded logins and passwords (all of them are quite basic) to infect other computers on the network via SMB.
  • The virus does not delete Shadow Volume Copies; thus, data recovery might be possible after the attack.

Malware uses EternalRomance SMB RCE exploit to infiltrate computers

When first reports about ransomware distribution emerged, it was believed that it spreads via EternalBlue or EternalRomance exploit kits. It was discovered that malware uses another NSA exploit kit which as stolen by Shadow Brokers on April – EternalRomance.[4]

The EternalRomance uses the CVE-2017-0145 vulnerability in Microsoft's Windows Server Message Block (SMB) which allows remote code execution. However, Microsoft released security bulletin MS17-010[5] to fix this issue. Unfortunately, not all companies and computer users patch their computers and install necessary updates. As a result, they might suffer from the Bad Rabbit ransomware attack.

The list of the infected countries expands

Bad Rabbit ransomware outbreak majorly affected Russia (as reported by Bedynet.ru[6]) and Ukraine, although many victims were spotted in Bulgaria, Japan, Turkey, Poland and other countries worldwide. No wonder why – these countries were also the leading ones regarding the number of compromised websites that served the ransomware's executable (the fake Flash Player update). 

At the moment, the number of victims is said to have exceeded 200. Just like during outbreak of WannaCry or NotPetya, we already see a growing number of large companies and organizations among Bad Rabbit's victims. Odessa International Airport in Ukraine and several media corporations in Russia, including Interfax, Fontanka.ru et al., are one of the first ones that reported infiltration of the malware.[7] See a complete list of affected companies below.

UPDATE: Avast researchers reported[8] that Bad Rabbit ransomware has been detected in the United States.[8] It is assumed that the attack may have been infected if they have partners in Europe or other targeted regions and share the same SMB access.

Name Bad Rabbit
Type of malware Ransomware
 
The list of victimized organizations and companies
Interfax news agency Interfax reported an attack on its servers on October 24th. The ransomware took down at least three of major Russia's media agency's websites. 

Fontanka.ru, Argumenti.ru,
Argumentiru.com

Russian cybersecurity firm GROUP-IB reported that these three major Russian news sites were compromised and used to distribute the ransomware disguised as malicious Flash Player Update.
Kiev Metro Kiev Metro became one of the first victims of the crypto-ransomware on October 24th. The virus managed to compromise the payment system and caused major delays during passenger registration.
Odessa Airport  Odessa Airport also fell victim to the ransomware attack on the same day as Kiev Metro systems did.
Ministry of Infrastructure of Ukraine The ransomware continuously wreaks havoc in Ukraine, this time infecting Ministry of Infrastructure of Ukraine.

If the described ransomware already compromised your computer, waste no time and remove Bad Rabbit using anti-malware software like Reimage or Malwarebytes Anti Malware. Do not forget to follow instructions provided below this report for a safe elimination of the file-coding virus.

Please keep in mind that you should use a professional malware removal tool to completely erase remains of this Trojan. Otherwise, you risk leaving some of its files on the system and leaving security vulnerabilities that could allow further malware infections. For a complete Bad Rabbit removal, use guidances written by IT experts (you will find them below the article).

Fake Flash Player update distributes Bad Rabbit

Adobe’s product Flash Player notorious success once again for the benefits of malware developers. The main malware dropper is disguised in fake Flash updates.[9] The malware is downloaded as the install_flash_player.exe file from corrupted sites. BadRabbit ransomware might also disguise under alternative file names.

Malicious Adoble Flash Player ad infects users with Bad Rabbit virus

Interestingly, the malware has to be executed by the victim himself. It is likely to happen, since the malware pretends to be a file associated with a well-known Adobe Flash Player software.

After the invasion, Bad Rabbit ransomware creates C:\Windows\infpub.dat file. Consequently, it generates the following files – C:\Windows\cscc.dat and C:\Windows\dispci.exe. They are responsible for modifying MBR settings. Interestingly, the malware suggests references to the characters of Game of Thrones series. BadRabbit malware creates three tasks named after three dragons in the series:

  • C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  • cmd.exe /c schtasks /Delete /F /TN rhaegal
  • cmd.exe /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR
  • cmd.exe /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR:00
  • C:\Windows\AF93.tmp” 

It also makes use of the open-source encryption service called DiskCryptor[10]. Later on, it uses aforementioned AES and RSA-2048 encryption methods. It targets a variety of file formats.[11]

After rebooting the system, the virus displays the same ransom note as NotPetya. Just like any traditional ransomware, it points to a payment site where victims can get more details about available data recovery solutions.

Tips to avoid crypto-malware attack

  • Regarding the fact that the crypto-malware disguises under Flash Player and breaks into servers, the key prevention measure would be to avoid installing suspicious software updates from any other sites than the official Adobe web page.
  • Some victims report that their computers were compromised after opening malicious email attachments, which is also one of the most efficient malware distribution tricks. Therefore, you should stay away from questionable files attached to digital messages from strangers or companies you have no business with.
  • Make sure your security tools are updated as well. It would be better to download a couple of different type security apps.
  • Patch your computer by installing all necessary security upgrades from Microsoft.
  • Keep all your programs up-to-date.
  • Consider creating your own “vaccine” for BadRabbit. You can find more details about it above.

Guidelines for Bad Rabbit virus removal

Users infected with the described malware should remove Bad Rabbit virus as soon as possible. It is advisable to rely on an up-to-date anti-malware tool, such as Reimage or Malwarebytes Anti Malware in order to successfully eliminate the malware. Due to its peculiar operation methods, it is not surprising why the malware is called the next Petya.

Speaking of virus' technical details, it is highly recommended not to attempt to remove it manually if you are not an experienced computer technician. If you have encountered this cyber misfortune, follow the instructions below. Since the ransomware changes MBR settings, you will not be able to boot the computer in Safe Mode at first. Implement the MBR reset instructions.

After that, restart the computer into Safe Mode, re-activate your security applications and remove the virus. After the scanning, launch the computer in normal mode and repeat the procedure. It will confirm that Bad Rabbit removal is complete. Note that malware elimination does not recover encoded files. Try to recover them from backups. You will find some suggestions below.

On Windows 7:

  1. Insert the Windows 7 DVD.
  2. Launch DVD.
  3. Choose language and keyboard layout preferences. Opt for Next.
  4. Choose your operating system, mark the Use recovery tools and click Next.
  5. Wait for the System Recovery Options screen to appear and choose Command Prompt.
  6. Type in the following commands and click Enter after each one: bootrec /rebuildbcd, bootrec /fixmbr, andbootrec /fixboot.
  7. Eject the installation DVD and reboot the PC.

On Windows 8/10 systems:

  1. Insert the installation DVD or recovery USB.
  2. Select Repair your computer option.
  3. Pick Troubleshoot and select Command Prompt.
  4. Type the listed commands one by one and press Enter after each: bootrec /FixMbr, bootrec /FixBoot, bootrec /ScanOs, and bootrec /RebuildBcd.
  5. Eject the DVD or recovery USB.
  6. Type exit and hit Enter.
  7. Reboot the PC.

We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software to remove Bad Rabbit ransomware virus you agree to our privacy policy and agreement of use.
do it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Compatible with OS X
What to do if failed?
If you failed to remove infection using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to uninstall Bad Rabbit ransomware virus. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.

More information about this program can be found in Reimage review.

More information about this program can be found in Reimage review.

Manual Bad Rabbit virus Removal Guide:

Remove Bad Rabbit using Safe Mode with Networking

Reimage is a tool to detect malware.
You need to purchase Full version to remove infections.
More information about Reimage.

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Bad Rabbit

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Bad Rabbit removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Bad Rabbit using System Restore

Reimage is a tool to detect malware.
You need to purchase Full version to remove infections.
More information about Reimage.

After you regain access to startup settings, reboot the computer in Safe Mode and start BadRabbit removal.

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Bad Rabbit. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that Bad Rabbit removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Bad Rabbit from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by Bad Rabbit, you can use several methods to restore them:

Is Data Recovery Pro capable of decoding the files affected by BadRabbit?

The program was originally created for recovering files after a system crash. On the other hand, if you do not have backup copies, this software might be one oft he last resorts.

The benefits of ShadowExplorer

Though Bad Rabbit ransomware is exquisite, there is no information whether it deletes shadow volume copies at the moment. Therefore, you might give it a try.

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Bad Rabbit and other ransomwares, use a reputable anti-spyware, such as Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware

About the author

Olivia Morelli
Olivia Morelli - Ransomware analyst

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Olivia Morelli
About the company Esolutions

References

Removal guides in other languages