RabbitFox ransomware is a cryptovirus that scrambles file names and prevents their access until ransom in Bitcoin is paid to hackers

RabbitFox is a type of malware that focuses on money extortion and falls under the ransomware category. While the virus uses a variety of methods to infect users' devices, the most prominent distribution method is spam email attachments and hyperlinks.
Once inside, RabbitFox ransomware scan the system for pictures, videos, documents, or other personal data in order to encrypt it with the help of AES encryption algorithm.[1] During this process, the name of the file is altered, and .fox appendix is added. The data is not corrupted, however, and, to redeem the access to files, victims need to acquire a unique key that is generated during the ransomware infection stage.
Users are prompted to write hackers to Rabbit2002@pm.me email to find out Bitcoin amount required to pay for the decryptor. This information is compiled in the text note Decrypt.txt that users can find in each folder where locked files are located. In June 2019, a new variant of RabbitFox was detected[2] which used .vendetta extension and foxdecrypt@protonmail.com as a contact email. Despite the name of the appendix, researchers did not find any connections to Vendetta ransomware.
| Name | RabbitFox |
| Type | Ransomware |
| Cipher | AES |
| File extension | .fox, .vendetta |
| Full file name modification |
|
| Ransom note | Decrypt.txt |
| Executable example | ConsoleApp1.exe |
| Contact | Rabbit2002@pm.me, foxdecrypt@protonmail.com |
| Termination | Use FortectIntego, SpyHunterCombo Cleaner or other anti-malware software that can detect the virus |
| Decryption | Only available via backups; might be possible by using data recovery software |
RabbitFox was first spotted in March 2018, and the first sample emerged from Lithuania. Nevertheless, the ransom note is written in English, so it is highly likely that the threat actors do not target specific countries, but rather send out malicious emails to random victims.
However, it is also possible that RabbitFox ransomware is also spread with the help of the following methods:
- Exploit kits
- Unprotected RDP
- Web injects
- Software cracks
- Fake updates, etc.
To find out how to protect yourself from ransomware infection in the future, refer to the second section of this post. Our RabbitFox removal instructions, along with alternative file recovery methods, can be found at the bottom.
As soon as RabbitFox ransomware extracts its malicious payload via ConsoleApp1.exe or another executable file, it changes the way the system operates. For example, it deletes Shadow Volume Copies to prevent data recovery or alters Windows registry entries in order to increase persistence.
For that reason, you should remove RabbitFox ransomware with security software like FortectIntego or SpyHunterCombo Cleaner to retrieve normal operation of the device. Besides, as long as the threat is present on your computer, file recovery is completely useless, as all the data will immediately get encrypted again.
Crooks behind RabbitFox virus are trying to make victims trust them by offering a test decryption service as explained it the ransom note:
Free decryption as guarantee
Before paying you can send us up to 2 files for free decryption.
The total size of files must be less than 1Mb (non archived), and files should not contain valuable information.
Do not pay cybercriminals, as they might simply ignore you after you transfer the Bitcoin payment, and you will end up losing your money as well. Besides, it would only prove that RabbitFox works as intended and will prompt them to infect more victims worldwide.
While there is no decryption tool that would allow you to recover .fox and .vendetta files for free, you might try alternative data recovery solutions, although chances of a positive outcome are relatively slim.

Tips to avoid ransomware infections and loss of files in the future
Ransomware is a type of computer infection that is extremely devastating because even after its termination, the locked files are not reverted to its previous state. Until security experts create the decryption tool, recovering files modified by ransomware is extremely difficult: the malware should fail to execute correctly or not remove Shadow Volume Copies. Keeping backups on a remote server or an external drive is the best way to negate the impact of a cryptovirus.
Nevertheless, the best solution to the problem would be not to get infected in the first place. Here are simple tips from industry experts[3] that will help you avoid malware in the future:
- Update your operating system and the installed applications regularly;
- Enable Firewall and install ad-blocking program;
- Do not use Remote Desktop with default port and protect it with a VPN or a proxy;
- Stay away from pirated software or its cracks;
- Be aware that spam email attachments and hyperlinks can install malware as soon as clicked;
- Enable two-factor authentication where possible and use a password manager;
- If you do not use a password manager, make sure you never reuse same passwords for different accounts.
Terminate RabbitFox ransomware with anti-malware software
RabbitFox ransomware removal should be your top priority, regardless of what hackers say – they threaten the access to files will be permanently lost if third-party tools are used. While it is party true, ransomware itself might fail to function properly and fail to delete Shadow Volume snapshots.
To remove RabbitFox virus, you should install reputable security software and run a full system scan. Nevertheless, the malware might tamper with your security software and prevent its termination. In such a case, you should access Safe Mode with Networking and perform the removal from there.
As soon as you delete RabbitFox completely, you can connect your backup device to recover your data. If you had no backups and alternative solutions do not work, the only solution would be to save files and wait till cybersecurity experts come up with the decryptor.
Was this guide helpful?
Be the first to comment