Severity scale:  

Remove Bad Rabbit ransomware / virus (Removal Guide) - updated Sep 2020

removal by Olivia Morelli - -   Also known as DiskCoder.D | Type: Ransomware

Bad Rabbit ransomware hit more than 200 organizations all over the world

The screenshot of BadRabbit payment site

Bad Rabbit virus launched a massive worldwide attack on the 24th of October 2017. During the small amount of time, the file-encrypting virus managed to affect more than 200 organizations all over the world and took their files to hostage. However, some of the encrypted files might be decrypted without paying the ransom to cyber criminals.

According to the latest data, Bad Rabbit ransomware mostly affected organizations in Russia and Ukraine. Other easter Europe countries, South Korea, Japan suffered from the ransomware as well. According to the latest research data, malware hit some American users as well.

Criminals behind the malware compromised many legitimate websites to deliver fake Adobe Flash Player updates (install_flash_player.exe) that need to be executed manually to activate the crypto-malware.

The virus uses AES-256-CBC and RSA-2048 ciphers to lock the files, adds .encrypted extension to their original filenames, creates a Readme.txt file which it places on the Desktop. Finally, Bad Rabbit replaces Master Boot Record (MBR) and restarts the computer.

Consequently, the victim loses access to the computer as it fails to boot and displays a threatening message on a black screen. The ransomware says “Oops! Your files have been encrypted!” and explains that the only possible data restoration method is paying a ransom to virus' authors.

The message provides a link to a .onion website (accessible via Tor browser only) and leaves “personal installation key” on the screen. The payment website presented by the virus states that the victim has to pay 0.05 bitcoin for data recovery (approximately $280).

Recent analysis of the virus tells that paying the ransom is not the only way to restore files after the ransomware attack. The virus does not delete Shadow Volume Copies. Thus, third-party software might help to rescue at least some of the encrypted files. However, before trying alternative recovery methods, users are suggested to remove Bad Rabbit malware from the device using Reimage Reimage Cleaner Intego or another malware removal software.

UPDATE. Researchers have already discovered a vaccine from Bad Rabbit, which prevents the ransomware from corrupting files even if the victim manages to execute the malicious file. Further details on how to create your own “vaccine” are provided on Esolutions blog.

Free Bad Rabbit decryptor can help some victims to get back their files

Kaspersky Labs reported[1] that there might be a chance to restore files after Bad Rabbit attack without paying the ransom. The researchers found two mistakes in the ransomware’s code. The most significant discovery is that malware does not delete Shadow Volume Copies after data encryption.

Therefore, victims of the ransomware might use third-party software to restore encrypted files. Keep in mind that these tools might not be capable of decrypting all your files. However, some of them will be definitely rescued. Though, before trying various recovery programs, remove Bad Rabbit ransomware from the device.

Researchers have also found another flaw in ransomware’s code that is related to the decryption passwords. It seems that malware does not delete the generated password from the memory until a victim reboots the computer. Researchers discovered that it might be possible to extract decryption password from the dispci.exe file if the system was not rebooted after ransomware attack.

Scammers use the name of Bad Rabbit to scare internet users

In January 2018, malware researchers warned about a new technical support scam that uses the name of Bad Rabbit. The scam follows the traditional scheme. Users are redirected to a compromised site that delivers a pop-up warning about ransomware attack and urges to call a provided phone number:

Windows Has Detected a BAD RABBIT ATTACK !! On Your System
Do Not Shutdown or Restart Your Computer
Contact Windows Certified Technicians For Immediate Assistance

Authors of the “Bad Rabbit Attack” scam claim that due to the attack, users’ Facebook logins, credit card information, email logins and photos stored on the computer are in danger. However, Bad Rabbit ransomware does not perform such activities. As you already know, it’s a file-encrypting virus.

If you receive such pop-up, you should not call 1-844-539-5778 or other phone numbers. Instead of that, close the browser, and check the system for adware program with Reimage Reimage Cleaner Intego. Usually, such potentially unwanted program is responsible for displaying message by technical support scammers.

Bad Rabbit is related to Petya/NotPetya malware

Bad Rabbit ransomware is believed to be a variant of NotPetya ransomware (also found as Petya/ExPetr/Petna) as it shares many technical similarities with the infamous crypto-virus. Ability to modify Master Boot Record, usage of AES and RSA encryption ciphers and similar hashing algorithm used are just a few details that connect both ransomware variants. However, there are some differences between them.

Please study the provided fact sheet to learn more about Bad Rabbit malware and how it differs from NotPetya virus.

  • Bad Rabbit, unlike NotPetya ransomware, is not a wiper and functions as a well-configured and fully operational file-encoding virus.
  • The virus does not exploit EternalBlue vulnerability (CVE-2017-0144[2]) to infect target systems. Previously mentioned ExPetr malware (as well as WannaCry) took advantage of the said security flaw in Windows servers.
  • The ransomware exploits EternalRomance exploit kit.
  • Bad Rabbit is still capable of proliferating via SMB. The malware scans for open shares and runs Mimikatz[3] software to collect Windows credentials. The virus then uses a list of hard-coded logins and passwords (all of them are quite basic) to infect other computers on the network via SMB.
  • The virus does not delete Shadow Volume Copies; thus, data recovery might be possible after the attack.

The image of BaddRabbit alternatuve trojan namesBadRabbit virus continues the misdeeds of Petya.

Hundreds of organizations in Europe, Asia and America were hit by ransomware

Bad Rabbit ransomware outbreak majorly affected Russia (as reported by[4]) and Ukraine, although many victims were spotted in Bulgaria, Japan, Turkey, Poland and other countries worldwide. No wonder why – these countries were also the leading ones regarding the number of compromised websites that served the ransomware's executable (the fake Flash Player update). 

Questions about Bad Rabbit ransomware virus

At the moment, the number of victims is said to have exceeded 200. Just like during outbreak of WannaCry or NotPetya, we already see a growing number of large companies and organizations among Bad Rabbit's victims. Odessa International Airport in Ukraine and several media corporations in Russia, including Interfax, et al., are one of the first ones that reported infiltration of the malware.[5] See a complete list of affected companies below.

UPDATE: Avast researchers reported[6] that Bad Rabbit ransomware has been detected in the United States.[6] It is assumed that the attack may have been infected if they have partners in Europe or other targeted regions and share the same SMB access.

Name Bad Rabbit
Type of malware Ransomware
The list of victimized organizations and companies
Interfax news agency Interfax reported an attack on its servers on October 24th. The ransomware took down at least three of major Russia's media agency's websites.,,

Russian cybersecurity firm GROUP-IB reported that these three major Russian news sites were compromised and used to distribute the ransomware disguised as malicious Flash Player Update.
Kiev Metro Kiev Metro became one of the first victims of the crypto-ransomware on October 24th. The virus managed to compromise the payment system and caused major delays during passenger registration.
Odessa Airport  Odessa Airport also fell victim to the ransomware attack on the same day as Kiev Metro systems did.
Ministry of Infrastructure of Ukraine The ransomware continuously wreaks havoc in Ukraine, this time infecting Ministry of Infrastructure of Ukraine.

If the described ransomware already compromised your computer, waste no time and remove Bad Rabbit using anti-malware software like Reimage Reimage Cleaner Intego or Malwarebytes. Do not forget to follow instructions provided below this report for a safe elimination of the file-coding virus.

Please keep in mind that you should use a professional malware removal tool to completely erase remains of this Trojan. Otherwise, you risk leaving some of its files on the system and leaving security vulnerabilities that could allow further malware infections. For a complete Bad Rabbit removal, use guidances written by IT experts (you will find them below the article).

Ransomware exploits system vulnerabilities to launch the attack

When first reports about ransomware distribution emerged, it was believed that it spreads via EternalBlue or EternalRomance exploit kits. It was discovered that malware uses another NSA exploit kit which as stolen by Shadow Brokers on April – EternalRomance.[7]

The EternalRomance uses the CVE-2017-0145 vulnerability in Microsoft's Windows Server Message Block (SMB) which allows remote code execution. However, Microsoft released security bulletin MS17-010[8] to fix this issue. Unfortunately, not all companies and computer users patch their computers and install necessary updates. As a result, they might suffer from the Bad Rabbit ransomware attack.

Bad Rabbit was spotted spreading as Fake Flash Player update

Adobe’s product Flash Player notorious success once again for the benefits of malware developers. The main malware dropper is disguised in fake Flash updates.[9] The malware is downloaded as the install_flash_player.exe file from corrupted sites. BadRabbit ransomware might also disguise under alternative file names.

Malicious Adoble Flash Player ad infects users with Bad Rabbit virusBad Rabbit ransomware spreads in a form of a fake Adobe Flash Player update suggested by many websites that were compromised by hackers.

Interestingly, the malware has to be executed by the victim himself. It is likely to happen, since the malware pretends to be a file associated with a well-known Adobe Flash Player software.

After the invasion, Bad Rabbit ransomware creates C:\Windows\infpub.dat file. Consequently, it generates the following files – C:\Windows\cscc.dat and C:\Windows\dispci.exe. They are responsible for modifying MBR settings. Interestingly, the malware suggests references to the characters of Game of Thrones series. BadRabbit malware creates three tasks named after three dragons in the series:

  • C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  • cmd.exe /c schtasks /Delete /F /TN rhaegal
  • cmd.exe /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR
  • cmd.exe /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR:00
  • C:\Windows\AF93.tmp” 

It also makes use of the open-source encryption service called DiskCryptor[10]. Later on, it uses aforementioned AES and RSA-2048 encryption methods. It targets a variety of file formats.[11]

After rebooting the system, the virus displays the same ransom note as NotPetya. Just like any traditional ransomware, it points to a payment site where victims can get more details about available data recovery solutions.

It's possible to avoid ransomware attack

  • Regarding the fact that the crypto-malware disguises under Flash Player and breaks into servers, the key prevention measure would be to avoid installing suspicious software updates from any other sites than the official Adobe web page.
  • Some victims report that their computers were compromised after opening malicious email attachments, which is also one of the most efficient malware distribution tricks. Therefore, you should stay away from questionable files attached to digital messages from strangers or companies you have no business with.
  • Make sure your security tools are updated as well. It would be better to download a couple of different type security apps.
  • Patch your computer by installing all necessary security upgrades from Microsoft.
  • Keep all your programs up-to-date.
  • Consider creating your own “vaccine” for BadRabbit. You can find more details about it above.

Delete Bad Rabbit ransomware and recover encrypted files

Users infected with the described malware should remove Bad Rabbit virus as soon as possible. It is advisable to rely on an up-to-date anti-malware tool, such as Reimage Reimage Cleaner Intego or Malwarebytes in order to successfully eliminate the malware. Due to its peculiar operation methods, it is not surprising why the malware is called the next Petya.

Speaking of virus' technical details, it is highly recommended not to attempt to remove it manually if you are not an experienced computer technician. If you have encountered this cyber misfortune, follow the instructions below. Since the ransomware changes MBR settings, you will not be able to boot the computer in Safe Mode at first. Implement the MBR reset instructions.

After that, restart the computer into Safe Mode, re-activate your security applications and remove the virus. After the scanning, launch the computer in normal mode and repeat the procedure. It will confirm that Bad Rabbit removal is complete. Note that malware elimination does not recover encoded files. Try to recover them from backups. You will find some suggestions below.

On Windows 7:

  1. Insert the Windows 7 DVD.
  2. Launch DVD.
  3. Choose language and keyboard layout preferences. Opt for Next.
  4. Choose your operating system, mark the Use recovery tools and click Next.
  5. Wait for the System Recovery Options screen to appear and choose Command Prompt.
  6. Type in the following commands and click Enter after each one: bootrec /rebuildbcd, bootrec /fixmbr, andbootrec /fixboot.
  7. Eject the installation DVD and reboot the PC.

On Windows 8/10 systems:

  1. Insert the installation DVD or recovery USB.
  2. Select Repair your computer option.
  3. Pick Troubleshoot and select Command Prompt.
  4. Type the listed commands one by one and press Enter after each: bootrec /FixMbr, bootrec /FixBoot, bootrec /ScanOs, and bootrec /RebuildBcd.
  5. Eject the DVD or recovery USB.
  6. Type exit and hit Enter.
  7. Reboot the PC.

do it now!
Reimage Happiness
Intego Happiness
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage Intego, submit a question to our support team and provide as much details as possible.
Reimage Intego has a free limited scanner. Reimage Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

To remove Bad Rabbit virus, follow these steps:

Remove Bad Rabbit using Safe Mode with Networking

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Bad Rabbit

    Log in to your infected account and start the browser. Download Reimage Reimage Cleaner Intego or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Bad Rabbit removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Bad Rabbit using System Restore

After you regain access to startup settings, reboot the computer in Safe Mode and start BadRabbit removal.

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Bad Rabbit. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage Reimage Cleaner Intego and make sure that Bad Rabbit removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Bad Rabbit from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

If your files are encrypted by Bad Rabbit, you can use several methods to restore them:

Is Data Recovery Pro capable of decoding the files affected by BadRabbit?

The program was originally created for recovering files after a system crash. On the other hand, if you do not have backup copies, this software might be one oft he last resorts.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Bad Rabbit ransomware;
  • Restore them.

The benefits of ShadowExplorer

Though Bad Rabbit ransomware is exquisite, there is no information whether it deletes shadow volume copies at the moment. Therefore, you might give it a try.

  • Download Shadow Explorer (;
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Bad Rabbit and other ransomwares, use a reputable anti-spyware, such as Reimage Reimage Cleaner Intego, SpyHunter 5Combo Cleaner or Malwarebytes

Access your website securely from any location

When you work on the domain, site, blog, or different project that requires constant management, content creation, or coding, you may need to connect to the server and content management service more often. It is a hassle when your website is protected from suspicious connections and unauthorized IP addresses.

The best solution for creating a tighter network could be a dedicated/fixed IP address. If you make your IP address static and set to your device, you can connect to the CMS from any location and do not create any additional issues for server or network manager that need to monitor connections and activities. This is how you bypass some of the authentications factors and can remotely use your banking accounts without triggering suspicious with each login. 

VPN software providers like Private Internet Access can help you with such settings and offer the option to control the online reputation and manage projects easily from any part of the world. It is better to clock the access to your website from different IP addresses. So you can keep the project safe and secure when you have the dedicated IP address VPN and protected access to the content management system.

Backup files for the later use, in case of the malware attack

Computer users can suffer from data losses due to cyber infections or their own faulty doings. Ransomware can encrypt and hold files hostage, while unforeseen power cuts might cause a loss of important documents. If you have proper up-to-date backups, you can easily recover after such an incident and get back to work. It is also equally important to update backups on a regular basis so that the newest information remains intact – you can set this process to be performed automatically.

When you have the previous version of every important document or project you can avoid frustration and breakdowns. It comes in handy when malware strikes out of nowhere. Use Data Recovery Pro for the data restoration process.

About the author
Olivia Morelli
Olivia Morelli - Ransomware analyst

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Olivia Morelli
About the company Esolutions

Removal guides in other languages

Your opinion regarding Bad Rabbit ransomware virus