- Slow Computer
- System crashes
- Connects to the internet without permission
- Installs itself without permissions
- Can't be uninstalled via Control Panel
BadRabbit Ransomware is a newly found ransomware-type computer malware that can infect your PC by stealth, encrypt your files and modify your computer’s Master Boot Record to prevent the operating system from loading. Its creators want you to pay a ransom to decrypt your files and unlock your PC. It is similar to Petya Ransomware and comes from either Russia or Ukraine and targets specific institutions in these countries. Therefore, if your PC has become infected with this malware, see the link below on how you can remove it. To find out more about it, we invite you to read this whole article.
Upon infection, BadRabbit Ransomware modifies the MBR (Master Boot Record) not to boot the operating system, but show a ransom note. The note says that your files have been encrypted and you need to visit a website set up by the cybercriminals to receive further instructions on how to pay the ransom. They want you to pay 0.05 BTC (~275 USD) to unlock your PC and decrypt your files, but we want to warn you that there is no guarantee that the malware developers will keep their word. Our research has revealed that this particular ransomware is used to attack computers of Russian and Ukrainian institutions. There have been cases when Kiev’s metro system and Odessa’s airport were attacked.
We have found that this ransomware is distributed he help from redirecting websites. Particular websites can randomly redirect you when you click something on a site or open another side in a new pop-up window or new tab. Research has shown that this ransomware can redirect you to a fake Adobe Flash player update. If you download the fake update package "install_flash_player.exe" and run it, then this ransomware will start doing its dirty work. After launching it, it drops a file at "%WINDIR%\infpub.dat, " and this file is executed using a "C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat, #1 15" command. Consequently, this file creates two more files at %WINDIR%\cscc.dat and %WINDIR%\dispci.exe.
Our research has shown that “Cscc.dat” is a legitimate file from Diskcryptor.net. It is a driver that allows users to encrypt their files for additional security. Unfortunately, BadRabbit Ransomware’s developers adapted it for their criminal agenda. This ransomware was configured to infect many file types, and they include but are not limited to .bmp, .brw, .c, .cab, .cc, .cer, .cfg, .conf, .cpp, .crt, .cs, .ctl, .cxx, .dbf, and many others. The “dispci.exe” file is the main executable of this ransomware. It has a scheduled task named "Rhaegal" which was set to execute the "C:\Windows\dispci.exe" -id [id] && exit" command which runs “dispci.exe” on system startup.
This ransomware was set to use an AES-128 encryption algorithm to encrypt your files and an RSA-2048 algorithm to encrypt the AES encryption key. The decryption key is not stored locally as it is sent to this ransomware’s server. If the encryption is successful, BadRabbit Ransomware will scan your network for vulnerable computers that can be infected using SMB (Server Message Block) exploit.
We hope that you found this article insightful and are ready to remove BadRabbit Ransomware using our guide or an anti-malware tool such as SpyHunter. However, before you do that, you have to repair the MBR (Master Boot Record.) We have also included a guide that will help your repair the MBR.
Fix the Master Boot Record (MBR)
How to remove BadRabbit Ransomware