Bad Rabbit virus Removal Guide
What is Bad Rabbit ransomware virus?
Bad Rabbit ransomware hit more than 200 organizations all over the world
Bad Rabbit virus launched a massive worldwide attack on the 24th of October 2017. During the small amount of time, the file-encrypting virus managed to affect more than 200 organizations all over the world and took their files to hostage. However, some of the encrypted files might be decrypted without paying the ransom to cyber criminals.
According to the latest data, Bad Rabbit ransomware mostly affected organizations in Russia and Ukraine. Other easter Europe countries, South Korea, Japan suffered from the ransomware as well. According to the latest research data, malware hit some American users as well.
Criminals behind the malware compromised many legitimate websites to deliver fake Adobe Flash Player updates (install_flash_player.exe) that need to be executed manually to activate the crypto-malware.
The virus uses AES-256-CBC and RSA-2048 ciphers to lock the files, adds .encrypted extension to their original filenames, creates a Readme.txt file which it places on the Desktop. Finally, Bad Rabbit replaces Master Boot Record (MBR) and restarts the computer.
Consequently, the victim loses access to the computer as it fails to boot and displays a threatening message on a black screen. The ransomware says “Oops! Your files have been encrypted!” and explains that the only possible data restoration method is paying a ransom to virus' authors.
The message provides a link to a .onion website (accessible via Tor browser only) and leaves “personal installation key” on the screen. The payment website presented by the virus states that the victim has to pay 0.05 bitcoin for data recovery (approximately $280).
Recent analysis of the virus tells that paying the ransom is not the only way to restore files after the ransomware attack. The virus does not delete Shadow Volume Copies. Thus, third-party software might help to rescue at least some of the encrypted files. However, before trying alternative recovery methods, users are suggested to remove Bad Rabbit malware from the device using ReimageIntego or another malware removal software.
UPDATE. Researchers have already discovered a vaccine from Bad Rabbit, which prevents the ransomware from corrupting files even if the victim manages to execute the malicious file. Further details on how to create your own “vaccine” are provided on Esolutions blog.
Free Bad Rabbit decryptor can help some victims to get back their files
Kaspersky Labs reported that there might be a chance to restore files after Bad Rabbit attack without paying the ransom. The researchers found two mistakes in the ransomware’s code. The most significant discovery is that malware does not delete Shadow Volume Copies after data encryption.
Therefore, victims of the ransomware might use third-party software to restore encrypted files. Keep in mind that these tools might not be capable of decrypting all your files. However, some of them will be definitely rescued. Though, before trying various recovery programs, remove Bad Rabbit ransomware from the device.
Researchers have also found another flaw in ransomware’s code that is related to the decryption passwords. It seems that malware does not delete the generated password from the memory until a victim reboots the computer. Researchers discovered that it might be possible to extract decryption password from the dispci.exe file if the system was not rebooted after ransomware attack.
Scammers use the name of Bad Rabbit to scare internet users
In January 2018, malware researchers warned about a new technical support scam that uses the name of Bad Rabbit. The scam follows the traditional scheme. Users are redirected to a compromised site that delivers a pop-up warning about ransomware attack and urges to call a provided phone number:
Windows Has Detected a BAD RABBIT ATTACK !! On Your System
Do Not Shutdown or Restart Your Computer
Contact Windows Certified Technicians For Immediate Assistance
Authors of the “Bad Rabbit Attack” scam claim that due to the attack, users’ Facebook logins, credit card information, email logins and photos stored on the computer are in danger. However, Bad Rabbit ransomware does not perform such activities. As you already know, it’s a file-encrypting virus.
If you receive such pop-up, you should not call 1-844-539-5778 or other phone numbers. Instead of that, close the browser, and check the system for adware program with ReimageIntego. Usually, such potentially unwanted program is responsible for displaying message by technical support scammers.
Bad Rabbit is related to Petya/NotPetya malware
Bad Rabbit ransomware is believed to be a variant of NotPetya ransomware (also found as Petya/ExPetr/Petna) as it shares many technical similarities with the infamous crypto-virus. Ability to modify Master Boot Record, usage of AES and RSA encryption ciphers and similar hashing algorithm used are just a few details that connect both ransomware variants. However, there are some differences between them.
Please study the provided fact sheet to learn more about Bad Rabbit malware and how it differs from NotPetya virus.
- Bad Rabbit, unlike NotPetya ransomware, is not a wiper and functions as a well-configured and fully operational file-encoding virus.
- The virus does not exploit EternalBlue vulnerability (CVE-2017-0144) to infect target systems. Previously mentioned ExPetr malware (as well as WannaCry) took advantage of the said security flaw in Windows servers.
- The ransomware exploits EternalRomance exploit kit.
- Bad Rabbit is still capable of proliferating via SMB. The malware scans for open shares and runs Mimikatz software to collect Windows credentials. The virus then uses a list of hard-coded logins and passwords (all of them are quite basic) to infect other computers on the network via SMB.
- The virus does not delete Shadow Volume Copies; thus, data recovery might be possible after the attack.
BadRabbit virus continues the misdeeds of Petya.
Hundreds of organizations in Europe, Asia and America were hit by ransomware
Bad Rabbit ransomware outbreak majorly affected Russia (as reported by Bedynet.ru) and Ukraine, although many victims were spotted in Bulgaria, Japan, Turkey, Poland and other countries worldwide. No wonder why – these countries were also the leading ones regarding the number of compromised websites that served the ransomware's executable (the fake Flash Player update).
At the moment, the number of victims is said to have exceeded 200. Just like during outbreak of WannaCry or NotPetya, we already see a growing number of large companies and organizations among Bad Rabbit's victims. Odessa International Airport in Ukraine and several media corporations in Russia, including Interfax, Fontanka.ru et al., are one of the first ones that reported infiltration of the malware. See a complete list of affected companies below.
UPDATE: Avast researchers reported that Bad Rabbit ransomware has been detected in the United States. It is assumed that the attack may have been infected if they have partners in Europe or other targeted regions and share the same SMB access.
|Type of malware||Ransomware|
|The list of victimized organizations and companies|
|Interfax news agency||Interfax reported an attack on its servers on October 24th. The ransomware took down at least three of major Russia's media agency's websites.|
|Russian cybersecurity firm GROUP-IB reported that these three major Russian news sites were compromised and used to distribute the ransomware disguised as malicious Flash Player Update.|
|Kiev Metro||Kiev Metro became one of the first victims of the crypto-ransomware on October 24th. The virus managed to compromise the payment system and caused major delays during passenger registration.|
|Odessa Airport||Odessa Airport also fell victim to the ransomware attack on the same day as Kiev Metro systems did.|
|Ministry of Infrastructure of Ukraine||The ransomware continuously wreaks havoc in Ukraine, this time infecting Ministry of Infrastructure of Ukraine.|
If the described ransomware already compromised your computer, waste no time and remove Bad Rabbit using anti-malware software like ReimageIntego or Malwarebytes. Do not forget to follow instructions provided below this report for a safe elimination of the file-coding virus.
Please keep in mind that you should use a professional malware removal tool to completely erase remains of this Trojan. Otherwise, you risk leaving some of its files on the system and leaving security vulnerabilities that could allow further malware infections. For a complete Bad Rabbit removal, use guidances written by IT experts (you will find them below the article).
Ransomware exploits system vulnerabilities to launch the attack
When first reports about ransomware distribution emerged, it was believed that it spreads via EternalBlue or EternalRomance exploit kits. It was discovered that malware uses another NSA exploit kit which as stolen by Shadow Brokers on April – EternalRomance.
The EternalRomance uses the CVE-2017-0145 vulnerability in Microsoft's Windows Server Message Block (SMB) which allows remote code execution. However, Microsoft released security bulletin MS17-010 to fix this issue. Unfortunately, not all companies and computer users patch their computers and install necessary updates. As a result, they might suffer from the Bad Rabbit ransomware attack.
Bad Rabbit was spotted spreading as Fake Flash Player update
Adobe’s product Flash Player notorious success once again for the benefits of malware developers. The main malware dropper is disguised in fake Flash updates. The malware is downloaded as the install_flash_player.exe file from corrupted sites. BadRabbit ransomware might also disguise under alternative file names.
Bad Rabbit ransomware spreads in a form of a fake Adobe Flash Player update suggested by many websites that were compromised by hackers.
Interestingly, the malware has to be executed by the victim himself. It is likely to happen, since the malware pretends to be a file associated with a well-known Adobe Flash Player software.
After the invasion, Bad Rabbit ransomware creates C:\Windows\infpub.dat file. Consequently, it generates the following files – C:\Windows\cscc.dat and C:\Windows\dispci.exe. They are responsible for modifying MBR settings. Interestingly, the malware suggests references to the characters of Game of Thrones series. BadRabbit malware creates three tasks named after three dragons in the series:
- C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
- cmd.exe /c schtasks /Delete /F /TN rhaegal
- cmd.exe /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR
- cmd.exe /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR:00
After rebooting the system, the virus displays the same ransom note as NotPetya. Just like any traditional ransomware, it points to a payment site where victims can get more details about available data recovery solutions.
It's possible to avoid ransomware attack
- Regarding the fact that the crypto-malware disguises under Flash Player and breaks into servers, the key prevention measure would be to avoid installing suspicious software updates from any other sites than the official Adobe web page.
- Some victims report that their computers were compromised after opening malicious email attachments, which is also one of the most efficient malware distribution tricks. Therefore, you should stay away from questionable files attached to digital messages from strangers or companies you have no business with.
- Make sure your security tools are updated as well. It would be better to download a couple of different type security apps.
- Patch your computer by installing all necessary security upgrades from Microsoft.
- Keep all your programs up-to-date.
- Consider creating your own “vaccine” for BadRabbit. You can find more details about it above.
Delete Bad Rabbit ransomware and recover encrypted files
Users infected with the described malware should remove Bad Rabbit virus as soon as possible. It is advisable to rely on an up-to-date anti-malware tool, such as ReimageIntego or Malwarebytes in order to successfully eliminate the malware. Due to its peculiar operation methods, it is not surprising why the malware is called the next Petya.
Speaking of virus' technical details, it is highly recommended not to attempt to remove it manually if you are not an experienced computer technician. If you have encountered this cyber misfortune, follow the instructions below. Since the ransomware changes MBR settings, you will not be able to boot the computer in Safe Mode at first. Implement the MBR reset instructions.
After that, restart the computer into Safe Mode, re-activate your security applications and remove the virus. After the scanning, launch the computer in normal mode and repeat the procedure. It will confirm that Bad Rabbit removal is complete. Note that malware elimination does not recover encoded files. Try to recover them from backups. You will find some suggestions below.
On Windows 7:
- Insert the Windows 7 DVD.
- Launch DVD.
- Choose language and keyboard layout preferences. Opt for Next.
- Choose your operating system, mark the Use recovery tools and click Next.
- Wait for the System Recovery Options screen to appear and choose Command Prompt.
- Type in the following commands and click Enter after each one: bootrec /rebuildbcd, bootrec /fixmbr, andbootrec /fixboot.
- Eject the installation DVD and reboot the PC.
On Windows 8/10 systems:
- Insert the installation DVD or recovery USB.
- Select Repair your computer option.
- Pick Troubleshoot and select Command Prompt.
- Type the listed commands one by one and press Enter after each: bootrec /FixMbr, bootrec /FixBoot, bootrec /ScanOs, and bootrec /RebuildBcd.
- Eject the DVD or recovery USB.
- Type exit and hit Enter.
- Reboot the PC.
Getting rid of Bad Rabbit virus. Follow these steps
Manual removal using Safe Mode
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.
Step 1. Access Safe Mode with Networking
Manual malware removal should be best performed in the Safe Mode environment.
Windows 7 / Vista / XP
- Click Start > Shutdown > Restart > OK.
- When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
- Select Safe Mode with Networking from the list.
Windows 10 / Windows 8
- Right-click on Start button and select Settings.
- Scroll down to pick Update & Security.
- On the left side of the window, pick Recovery.
- Now scroll down to find Advanced Startup section.
- Click Restart now.
- Select Troubleshoot.
- Go to Advanced options.
- Select Startup Settings.
- Press Restart.
- Now press 5 or click 5) Enable Safe Mode with Networking.
Step 2. Shut down suspicious processes
Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Click on More details.
- Scroll down to Background processes section, and look for anything suspicious.
- Right-click and select Open file location.
- Go back to the process, right-click and pick End Task.
- Delete the contents of the malicious folder.
Step 3. Check program Startup
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Go to Startup tab.
- Right-click on the suspicious program and pick Disable.
Step 4. Delete virus files
Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:
- Type in Disk Cleanup in Windows search and press Enter.
- Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
- Scroll through the Files to delete list and select the following:
Temporary Internet Files
- Pick Clean up system files.
- You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):
After you are finished, reboot the PC in normal mode.
Remove Bad Rabbit using System Restore
After you regain access to startup settings, reboot the computer in Safe Mode and start BadRabbit removal.
Step 1: Reboot your computer to Safe Mode with Command Prompt
Windows 7 / Vista / XP
- Click Start → Shutdown → Restart → OK.
- When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
- Select Command Prompt from the list
Windows 10 / Windows 8
- Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
- Now select Troubleshoot → Advanced options → Startup Settings and finally press Restart.
- Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window.
Step 2: Restore your system files and settings
- Once the Command Prompt window shows up, enter cd restore and click Enter.
- Now type rstrui.exe and press Enter again..
- When a new window shows up, click Next and select your restore point that is prior the infiltration of Bad Rabbit. After doing that, click Next.
- Now click Yes to start system restore.
Bonus: Recover your dataGuide which is presented above is supposed to help you remove Bad Rabbit from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.
If your files are encrypted by Bad Rabbit, you can use several methods to restore them:
Is Data Recovery Pro capable of decoding the files affected by BadRabbit?
The program was originally created for recovering files after a system crash. On the other hand, if you do not have backup copies, this software might be one oft he last resorts.
- Download Data Recovery Pro;
- Follow the steps of Data Recovery Setup and install the program on your computer;
- Launch it and scan your computer for files encrypted by Bad Rabbit ransomware;
- Restore them.
The benefits of ShadowExplorer
Though Bad Rabbit ransomware is exquisite, there is no information whether it deletes shadow volume copies at the moment. Therefore, you might give it a try.
- Download Shadow Explorer (http://shadowexplorer.com/);
- Follow a Shadow Explorer Setup Wizard and install this application on your computer;
- Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
- Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.
Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Bad Rabbit and other ransomwares, use a reputable anti-spyware, such as ReimageIntego, SpyHunter 5Combo Cleaner or Malwarebytes
How to prevent from getting ransomware
Protect your privacy – employ a VPN
There are several ways how to make your online time more private – you can access an incognito tab. However, there is no secret that even in this mode, you are tracked for advertising purposes. There is a way to add an extra layer of protection and create a completely anonymous web browsing practice with the help of Private Internet Access VPN. This software reroutes traffic through different servers, thus leaving your IP address and geolocation in disguise. Besides, it is based on a strict no-log policy, meaning that no data will be recorded, leaked, and available for both first and third parties. The combination of a secure web browser and Private Internet Access VPN will let you browse the Internet without a feeling of being spied or targeted by criminals.
No backups? No problem. Use a data recovery tool
If you wonder how data loss can occur, you should not look any further for answers – human errors, malware attacks, hardware failures, power cuts, natural disasters, or even simple negligence. In some cases, lost files are extremely important, and many straight out panic when such an unfortunate course of events happen. Due to this, you should always ensure that you prepare proper data backups on a regular basis.
If you were caught by surprise and did not have any backups to restore your files from, not everything is lost. Data Recovery Pro is one of the leading file recovery solutions you can find on the market – it is likely to restore even lost emails or data located on an external device.