What is BadRabbit Ransomware?
According to cybersecurity experts, BadRabbit Ransomware is a malicious application very similar to Petya Ransomware that was wreaking havoc nearly a year ago. However, BadRabbit Ransomware is much more sophisticated and, in a typical ransomware fashion, it was designed to encrypt your files and demand that you pay money to decrypt them. This new ransomware is distributed in Eastern European countries mostly, but you can get it wherever you are, potentially. If your PC were to become infected with this malware, you have to remove it if you want to use your computer as normal.
Where does BadRabbit Ransomware come from?
BadRabbit Ransomware might have originated in Russia or Ukraine, but there is no concrete evidence. We believe it might have originated from one of these two countries because it targets various institutions in both of them. It has been reported that Kiev’s subway and Airport in Odessa have been attacked by this ransomware.
Our cybersecurity experts say that BadRabbit Ransomware is distributed by redirecting would-be victims from legitimate websites to sites offering fake Flash updates that claims that a user’s Adobe Flash player is in need of an update. If the user downloads the fake Update package and launches FlashUtil.exe, then a file named infpub.dat will be dropped in %WINDIR% and executed using a command "C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat, #1 15." As a result of executing this command, a two more files are dropped in %WINDIR%\cscc.dat and %WINDIR%\dispci.exe.
What does BadRabbit Ransomware do?
According to our malware analysts, Cscc.dat is a legitimate file from Diskcryptor.net. Specifically, Cscc.dat is a driver that allows users to encrypt their files at will for security purposes. However, malware developers managed to adapt this encryption tool for their malicious purposes. The second file, dispci.exe, is the main malicious executable. This ransomware creates a scheduled task in Task Scheduler named "Rhaegal" that launches dispci.exe using the command "C:\Windows\dispci.exe" -id [id] && exit." Researchers say that both of these files are used to encrypt your files and modify the MBR (Master Boot Record.)
This ransomware was set to encrypt your files with an Advanced Encryption Standard (AES- 128), and the AES key is encrypted with an RSA encryption algorithm, so the encryption is quite strong. The modifications made to the MBR prevent the operating system from booting up entirely. Instead, it presents you with its ransom note. The note says that you need to visit caforssztxqzf2nm.onion using the Tor network to get further instructions on how to pay the ransom. Researchers have found that its creators want you to pay 0.05 BTC (~275 USD) to get your files back and unlock your PC. However, there is no guarantee that they will keep their word. The list of encrypted files is quite long. The list includes file types such as .3ds .7z .accdb .ai .asm .asp .aspx .avhd .back .bak and .bmp, among others. The only way to delete BadRabbit Ransomware is to repair the MBR, but if you repair it, then you will not be able to decrypt your files.
How do I remove BadRabbit Ransomware?
To repair the MBR, you need your Windows installation DVD or image to boot into System Recovery Options. Again, if you try to repair the MBR, then you will not be able to decrypt your files, but it is necessary if you want to use your PC again. See the guide below on how to repair the MBR and remove BadRabbit Ransomware from your computer.
How to repair the Master Boot Record (MBR)
Windows 8/8.1 and 10
- Insert your disc of Windows 8/8.1 in to the CD/DVD ROM Drive.
- Boot from the Windows 8/8.1 DVD.
- At the Press any key to boot from CD/DVD…, press any key to boot up the DVD.
- At the Welcome screen, click Repair your computer.
- Select Troubleshoot and choose Command Prompt.
- In the Command Prompt, type the following commands (press Enterafter each command.
- bootrec /rebuildbcd
- bootrec /fixmbr
- bootrec /fixboot
- Wait for the process to finish (a confirmation message will tell you if the repair was successful.)
- Eject the Windows 8.8.1 DVD.
- Type Exit and press Enter to restart your PC.
Windows 7
- Insert your disc of Windows 7 in to the CD/DVD ROM Drive.
- Boot from the Windows 7 DVD.
- At the Press any key to boot from CD/DVD…, press any key to boot up the DVD.
- Select the language and keyboard layout and click Next.
- Select the operating system and click Next.
- Check the Use the recovery tools that can help fix problems starting Windows.
- At the System Recovery Options screen, click Command Prompt.
- In the Command Prompt, type the following commands (press Enterafter each command.)
- bootrec /rebuildbcd
- bootrec /fixmbr
- bootrec /fixboot
- Wait for the process to finish (a confirmation message will tell you if the repair was successful.)
- Eject the Windows 7 DVD.
- Type Exit and press Enter to restart your PC.
Windows Vista
- Insert your disc of Windows Vista in to the CD/DVD ROM Drive.
- Boot from the Windows Vista DVD.
- At the Press any key to boot from CD/DVD…, press any key to boot up the DVD.
- At the Welcome screen, click Repair your computer.
- Select the operating system and click Next.
- In the System Recovery Options window, click Command Prompt.
- In the Command Prompt, type the following commands (press Enterafter each command.)
- bootrec /fixmbr
- bootrec /fixboot
- bootrec /rebuildbcd
- Wait for the process to finish (a confirmation message will tell you if the repair was successful.)
- Eject the Windows Vista DVD.
- Type Exit and press Enter to restart your PC.
Windows XP
- Insert your disc of Windows XP in to the CD/DVD ROM Drive.
- Boot from the Windows XP CD.
- At the Press any key to boot from CD…, press any key to boot up the CD.
- In the Welcome to Setup screen, press R to open Recovery Console.
- At the Which Windows installation would you like to log onto, type 1 and press Enter.
- At the Type the Administrator password, enter the password and press Enter.
- Type fixmbr and if the Are you sure you want to write a new MBR question appears press Y and press Enter.
- Press Enter again.
- Wait of the process to finish. The fixmbr utility will repair the damage to the MBR.
- Eject the Windows XP CD.
- Type Exit and press Enter to restart your PC.
How to delete BadRabbit Ransomware
- Press Windows+E keys.
- In the File Explorer’s address box, enter %WINDIR%
- Press Enter.
- Locate infpub.dat, cscc.dat, and dispci.exe
- Right-click them and click Delete.
- Right-click the Recycle Bin icon and click Empty Recycle Bin.
tested removal of BadRabbit Ransomware* 100% FREE spyware scan and
Stop these BadRabbit Ransomware Processes:
dispci.exe
0 Comments.