Bad Rabbit virus - How to remove

Bad Rabbit ransomware virus is not joking around and a massive global outbreak was detected on 24th of October, 2017. The situation strongly resembles crises of WannaCry and NotPetya infections. Bad Rabbit is not entirely a ransomware threat as it is considered to have traits of new-and-improved version of Petya. As you might already know, NotPetya was determined to be a disk coder or a viper in other words. Bad Rabbit malware arrives in operating systems as a install_flash_player.exe file. I also drops infpub.dat, rundll32.exe files into C disk.

Main symptoms of Bad Rabbit ransomware, references to Game of Thrones and AES file-encryption

Ransomware has managed to slither into computers, belonging to users from Eastern Europe. This, once again, includes Ukraine, together with regions of Russia, Bulgaria, Poland, United States, South Korea and Turkey. Organization and business enterprises have to focus on cyber security at this moment because the massive attack of Bad Rabbit virus could begin spreading even more intensively. Ukrainian Ministry of Infrastructure, subway system and Odessa airport have become victims of this infection. Some companies from Russia have also reported a very critical situations of their services due to Bad Rabbit malware (New ransomware attack hits Russia and spreads around globe).

Bad Rabbit threat not only opts to act as a disk coder, but also encrypts files on victims’ devices. It appears that AES algorithm is selected for this file-encoding process. To make it more complicated, the generated decryption key is further encoded with RSA-2048 cipher which is a popular strategy for ransomware infections (Bad Rabbit Ransomware Strikes Russia and Ukraine).

You might be surprised that the infection does not append an original extension to the damaged executables. Instead, it will add a file marker string “encrypted” to end of every damaged file. Another very important aspect of this ransomware is that it will be able to obtain capability to connect to remote network share. This means that the infection could be transmitted from one device to another. Originally, the outbreak is expected to have occurred from a Russian website  argumentiru.com. If you remember, in case of NotPetya, the infection was transmitted from M.E.Doc servers. 

Bad Rabbit crypto-virus is believed to have been generated by obsessed fans of Game of Thrones show. During technical information of the ransomware, researchers found references to the popular TV series, for instance, a trio of scheduled tasks are named after the famous dragons of Viserion, Rhaegal and Drogon.

Bad Rabbit virus is delivered through a method of drive-by download, more specifically, fake Adobe Flash Player updates. Some frequently visited domains around the Web had been hacked so the cybercriminals would be able to inject malicious JavaScripts into their HTML body or in their .js file (Bad Rabbit: Not-Petya is back with improved ransomware). Therefore, once user visits a compromised domain, he or she will be offered to install a Flash Player update. After visitor agrees to set up the update, a file from Ldnscontrol.com turns out to actually be a Win32/FileCoder.D.

Bad Rabbit disk coder also steals victims’ data by attempting to act as a spyware. Once it set ups everything it needs, together with the modifications to Master Boot Record (MBR), victims’ computers will be prevented from fully launching. People will be introduced to the same note which was present during the NotPetya attack. However, it is debatable whether the same people are behind Bad Rabbit malware. While they do carry similarities, there are also many differences, and only 13% of the NotPetya codes are reused.

This newly detected Bad Rabbit malware nightmare also requires users to enter a website via TOR. Caforssztxqzf2nm.onion domain will present a text message, insisting that victims would enter their personal key in the box below. Then, if the key is recognized, victims are introduced with more detailed explanations about the way ransom needs to be sent. 0.05 BTC is indicated to be the demanded ransom, which is approximately 274.87 USD. However, this sum is not the final ransom: after 40hours of victims’ refusals to pay, the fee will go up. Nonetheless, we encourage you NOT to pay!

Distribution techniques that Bad Rabbit virus exploits

We have already indicated that the infection spreads via fake Adobe Flash Player updates. They are presented via legitimate websites that have been compromised by malicious JavaScripts. If a random domain encourages you to install an update, please refuse this proposition as you might become a victim of such a frightening infection as Bad Rabbit ransomware. Also, it is possible that virus will start to spread from one computer to another.

Is it possible to recover the files that Bad Rabbit crypto-malware damaged?

It is too early to speak of possible decryption tools for the ruined digital data. First of all, researchers have to commence thorough analysis and find out whether this is a possibility or not. Take our advice and backup all of your files that you would regret losing. If you have your files in multiple locations, ransomware should not be a problem.

As for the removal, people have to careful. Even though the attacker’s server is no longer live, the infection might go for another round of distribution. Remember, to keep yourself safe you have to have a reliable anti-malware installed into your operating system. This includes such software applications like Spyhunter.

Vaccine has been found!

Amit Serper has announced a vaccine for this terrorizing cyber virus. Follow these steps to be secured from Bad Rabbit ransomware virus:

1. Create infpub.dat and cscc.dat files in C:\Windows.
2. Then, remove all permissions (inheritance).
3. You should be secured from this infection.

Update of 27th of October: On this day, security researchers determined that Bad Rabbit infection used a modified version of NSA exploit to speed up its distribution. Due to differences from the original exploit, security researchers were not able to find it at first.

Update of the 30th of October: Researchers from Kaspersky made a joyous discovery: mistakes in the operation of Bad Rabbit ransomware (Decryption opportunity assessment). Thanks to this turn of events, some of the victims might be ablate decrypt their data. One of the shocking sloppy mistakes is the fact that Bad Rabbit virus does not initiate a command to delete all Shadow Volume Copies. This is rather unexpected as even basic, HiddenTear samples, are able to do this command. However, good news for victims: they might be able to recover at least some part of their encrypted digital data.

In addition to this, researchers from Kaspersky also figured out that a mistake in the code of dispci.exe: the ransomware doesn’t get rid of the generated password from memory. However, security researchers debate whether this will work for actual victims of the Bad Rabbit virus.

How to recover Bad Rabbit virus encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP

• Start → Shutdown → Restart → OK.
• Press F8 key repeatedly until Advanced Boot Options window appears.
• Choose Safe Mode with Command Prompt.

for Windows 8 / 10

• Press Power at Windows login screen. Then press and hold Shift key and click Restart.
• Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
• When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.

 

2.Restore System files and settings.

• When Command Prompt mode loads, enter cd restore and press Enter.
• Then enter rstrui.exe and press Enter again.
• Click “Next” in the windows that appeared.
• Select one of the Restore Points that are available before Bad Rabbit virus has infiltrated to your system and then click “Next”.
• To start System restore click “Yes”.

 

Step 2. Complete removal of Bad Rabbit virus

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Bad Rabbit virus. You can check other tools here.  

Step 3. Restore Bad Rabbit virus affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Bad Rabbit virus tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.

b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.

Step 4. Use Data Recovery programs to recover Bad Rabbit virus encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

• We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
• Download a data recovery program.
• Install and scan for recently deleted files.

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.