After the infamous WannaCry and Petya ransomware come another menacing ransomware infection. A new crypto-malware called “Bad Rabbit” is on the loose and is currently spreading all over the globe at a fast pace. Bad Rabbit ransomware’s attacks were first noticed in Russia and Ukraine and are now making its way across Europe. This is the third cyber attack in a global scale that took place this year and is currently wreaking havoc worldwide. Some of the confirmed victims of Bad Rabbit are the Kiev subway system, Odessa airport, the Ministry of Infrastructure in Ukraine and Russian agencies Fontanka and Interfax.
What exactly is Bad Rabbit ransomware? And how does it carry out its attack?
Bad Rabbit ransomware is yet another dangerous and threatening ransomware infection. This ransomware seems to be very specific and uses a very similar XTS encryption as the Mamba ransomware and uses AES 256 CBC and RSA 2048 ciphers to lock the files and adds .encrypted extension to the files’ original file names. The Bad Rabbit is also known to replace and encode the Master Boot Record or MBR of the drives of the infected computer. Malware researchers have established that the ransomware is based on an open source encryption solution called DiskCryptor which aims to convert GPT to MBR and UEFI to Legacy modes. Aside from that, the ransomware also reboots the infected computer.
Bad Rabbit ransomware spreads through a fake Adobe Flash player update. Once the fake update is executed, it drops the following files:
Once the infpub.dat is also executed, it creates two more malicious files:
After that, the Bad Rabbit immediately scans all the drives in the infected computer. The ransomware aims to target certain files that may be important like images, videos, documents, archives and other files. According to security experts, it targets the following file types:
.3ds .7z .accdb .ai .asm .asp .aspx .avhd .back .bak .bmp .brw .c .cab .cc .cer .cfg .conf .cpp .crt .cs .ctl .cxx .dbf .der .dib .disk .djvu .doc .docx .dwg .eml .fdb .gz .h .hdd .hpp .hxx .iso .java .jfif .jpe .jpeg .jpg .js .kdbx .key .mail .mdb .msg .nrg .odc .odf .odg .odi .odm .odp .ods .odt .ora .ost .ova .ovf .p12 .p7b .p7c .pdf .pem .pfx .php .pmf .png .ppt .pptx .ps1 .pst .pvi .py .pyc .pyw .qcow .qcow2 .rar .rb .rtf .scm .sln .sql .tar .tib .tif .tiff .vb .vbox .vbs .vcb .vdi .vfd .vhd .vhdx .vmc .vmdk .vmsd .vmtm .vmx .vsdx .vsv .work .xls .xlsx .xml .xvd .zip
Eventually, after the encryption process, the ransomware schedules two tasks called drogon and viserion which aims to trigger programs which restarts the affected computer and display the following message on system boot:
“Oops! Your files have been encrypted.
If you see this text, your files are no longer accessible.
You might have been looking for a way to recover your files.
Don’t waste your time. No one will be able to recover them without our decryption service.
We guarantee that you can recover all your files safely. All you need to do is submit the payment and get the decryption password.
Visit our web service at –
Your personal installation key#: –
If you have already got the password, please enter it below.
The onion web link will lead you to a web page which contains a deadline timer and the following message:
If you access this page your computer has been encrypted. Enter the appeared personal key in the field below. If succeed, you’ll be provided with a bitcoin account to transfer payment. The current price is on the right. Once we receive your payment you’ll get a password to decrypt your data. To verify your payment and check the given passwords enter your assigned bitcoin address or your personal key. Price for decryption 0.05 BTC”
How does Bad Rabbit ransomware spread?
Follow the thorough and detailed guide provided below to obliterate the Bad Rabbit ransomware from your system.
Step1. Check all the browser shortcuts on your desktop, taskbar and Start menu. Right click on each browser shortcuts and change its properties completely.
Step2. Go to Control Panel and to the list of installed programs and uninstall any unknown and suspicious-looking programs you can find that may be related to Bad Rabbit ransomware.
Step3. Close the Control Panel and tap Win + Ctrl + Shift on your keyboard to open the Task Manager.
Step4. Under the Task Manager, go to the Processes tab and look for any dubious processes such as follows:
Step5. Go to the directories in which these processes start and get rid of them as well. After that tap Win + R to launch Run and type in services.msc and tap Enter to open Services.
Step6. Disable any services with complete random names and which contains Bad Rabbit in its name or in its description and then close Services.
Step7. Tap Win + E to open File Explorer and then navigate to the following directories:
Step8. Look for the following malicious files created by Bad Rabbit ransomware and delete all of them.
Step9. Close the File Explorer.
Before you go on any further, make sure that you are tech savvy enough to the point where you know exactly how to use and navigate your computer’s Registry. Keep in mind that any changes you make will highly impact your computer. To save you the trouble and time, you can just use PC Cleaner Pro, this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then by all means go on to the next steps.
Step10. Tap Win + R to launch Run again and then type regedit, click OK or tap Enter to open the Registry Editor.
Step11. Navigate to the following paths and look for the registry keys and sub-keys created by Bad Rabbit ransomware:
- HKLM\SYSTEM\CurrentControlSet\services\cscc\Type 1
- HKLM\SYSTEM\CurrentControlSet\services\cscc\Start 0
- HKLM\SYSTEM\CurrentControlSet\services\cscc\ErrorControl 3
- HKLM\SYSTEM\CurrentControlSet\services\cscc\ImagePath cscc.dat
- HKLM\SYSTEM\CurrentControlSet\services\cscc\DisplayName Windows Client Side Caching DDriver
- HKLM\SYSTEM\CurrentControlSet\services\cscc\Group Filter
- HKLM\SYSTEM\CurrentControlSet\services\cscc\DependOnService FltMgr
- HKLM\SYSTEM\CurrentControlSet\services\cscc\WOW64 1
Step12. Close the Registry Editor and empty your Recycle Bin.
Try to recover your encrypted files using their Shadow Volume copies
Restoring your encrypted files using Windows’ Previous Versions feature will only be effective if Bad Rabbit hasn’t deleted the shadow copies of your files. But still, this is one of the best and free methods there is, so it’s definitely worth a shot.
To restore the encrypted file, right-click on it and select Properties, a new window will pop-up, then proceed to Previous Versions. It will load the file’s previous version before it was modified. After it loads, select any of the previous versions displayed on the list like the one in the illustration below. And then click the Restore button.
To complete the removal of Bad Rabbit ransomware, make sure you follow the advanced steps below.
Perform a full system scan using SpyRemover Pro. To do so, follow these steps:
- Turn on your computer. If it’s already on, you have to reboot
- After that, the BIOSscreen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.
- To navigate the Advanced Optionuse the arrow keys and select Safe Mode with Networking then hit
- Windows will now load the SafeMode with Networking.
- Press and hold both R key and Windows key.
- If done correctly, the Windows Run Boxwill show up.
- Type in explorer http://www.fixmypcfree.com/install/spyremoverpro
A single space must be in between explorer and http. Click OK.
- A dialog box will be displayed by Internet Explorer. Click Run to begin downloading the program. Installation will start automatically once download is done.
- Click OK to launch it.
- Run SpyRemover Pro and perform a full system scan.
- After all the infections are identified, click REMOVE ALL.
- Register the program to protect your computer from future threats.