BadRabbit Ransomware

BadRabbit Ransomware is a newly found ransomware-type computer malware that can infect your PC by stealth, encrypt your files and modify your computer’s Master Boot Record to prevent the operating system from loading. Its creators want you to pay a ransom to decrypt your files and unlock your PC. It is similar to Petya Ransomware and comes from either Russia or Ukraine and targets specific institutions in these countries. Therefore, if your PC has become infected with this malware, see the link below on how you can remove it. To find out more about it, we invite you to read this whole article.

Upon infection, BadRabbit Ransomware modifies the MBR (Master Boot Record) not to boot the operating system, but show a ransom note. The note says that your files have been encrypted and you need to visit a website set up by the cybercriminals to receive further instructions on how to pay the ransom. They want you to pay 0.05 BTC (~275 USD) to unlock your PC and decrypt your files, but we want to warn you that there is no guarantee that the malware developers will keep their word. Our research has revealed that this particular ransomware is used to attack computers of Russian and Ukrainian institutions. There have been cases when Kiev’s metro system and Odessa’s airport were attacked.

We have found that this ransomware is distributed he help from redirecting websites. Particular websites can randomly redirect you when you click something on a site or open another side in a new pop-up window or new tab. Research has shown that this ransomware can redirect you to a fake Adobe Flash player update. If you download the fake update package "install_flash_player.exe" and run it, then this ransomware will start doing its dirty work. After launching it, it drops a file at "%WINDIR%\infpub.dat, " and this file is executed using a "C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat, #1 15" command. Consequently, this file creates two more files at %WINDIR%\cscc.dat and %WINDIR%\dispci.exe.

Our research has shown that “Cscc.dat” is a legitimate file from Diskcryptor.net. It is a driver that allows users to encrypt their files for additional security. Unfortunately, BadRabbit Ransomware’s developers adapted it for their criminal agenda. This ransomware was configured to infect many file types, and they include but are not limited to .bmp, .brw, .c, .cab, .cc, .cer, .cfg, .conf, .cpp, .crt, .cs, .ctl, .cxx, .dbf, and many others. The “dispci.exe” file is the main executable of this ransomware. It has a scheduled task named "Rhaegal" which was set to execute the "C:\Windows\dispci.exe" -id [id] && exit" command which runs “dispci.exe” on system startup.

This ransomware was set to use an AES-128 encryption algorithm to encrypt your files and an RSA-2048 algorithm to encrypt the AES encryption key. The decryption key is not stored locally as it is sent to this ransomware’s server. If the encryption is successful, BadRabbit Ransomware will scan your network for vulnerable computers that can be infected using SMB (Server Message Block) exploit.

We hope that you found this article insightful and are ready to remove BadRabbit Ransomware using our guide or an anti-malware tool such as SpyHunter. However, before you do that, you have to repair the MBR (Master Boot Record.) We have also included a guide that will help your repair the MBR.

Fix the Master Boot Record (MBR)

Windows XP

1. Insert the CD of Windows XP in the CD/DVD-ROM.
2. While restarting the PC, press any key to boot.
3. Press the R key to open the Recovery Console.
4. Type 1 and press Enter if Windows XP is your only OS.
5. Enter your administrator password and hit Enter.
6. Press the Y key and then hit Enter.
7. Eject the CD from the CD/DVD-ROM.
8. Type Exit and then press Enter to restart your PC.

Windows Vista

1. Insert the CD of Windows Vista in the CD/DVD-ROM.
2. While restarting the PC, press any key to boot.
3. Select the language and keyboard layout.
4. Click Repair your computer.
5. Select the operating system.
6. Click Next.
7. Open Command Prompt.
8. Type the following commands.
   • bootrec /FixMbr
   • bootrec /FixBoot
   • bootrec /RebuildBcd
9. Press Enter after you enter each of the commands.
10. Remove your CD and type exit.
11. Press Enter.

Windows 7

1. Insert the DVD of Windows 7 in the CD/DVD-ROM.
2. While restarting the PC, press any key to boot.
3. Select your language and keyboard layout.
4. Click Next.
5. Select the OS.
6. Click Next.
7. Click Command Prompt to open it.
   • Type bootrec /rebuildbcd. Press Enter.
   • Type bootrec /fixmbr. Press Enter.
   • Type bootrec /fixboot. Press Enter.
8. Remove the DVD and restart your computer.

Windows 8/8.1/10

1. Insert the DVD of Windows 7 in the CD/DVD-ROM.
2. While restarting the PC, press any key to boot.
3. Click Repair your computer at the Welcome screen.
4. Click Troubleshoot and open Command Prompt.
   • Type bootrec /FixMbr and hit Enter.
   • Type bootrec /FixBoot and hit Enter.
   • Type bootrec /ScanOs and hit Enter.
   • Type bootrec /RebuildBcd and hit Enter.
5. Remove the DVD from the CD/DVD-ROM.
6. Type Exit and then press Enter.
7. Reboot your computer.

How to remove BadRabbit Ransomware

1. Hold down Windows+E keys.
2. In the File Explorer’s address box, enter %WINDIR%
3. Hit Enter.
4. Find infpub.dat, cscc.dat, and dispci.exe
5. Right-click them and click Delete.
6. Right-click the Recycle Bin icon and click Empty Recycle Bin.