I wrote this article to help you remove Bad Rabbit Ransomware. This Bad Rabbit Ransomware removal guide works for all Windows versions.
Bad Rabbit ransomware has stood out from other recent win-lockers with its large scale attacks. The virus arrived on the scene on October 24, but researchers from Kaspersky Labs reported that its release had been in the plans since at least July. First targeting computers in Ukraine and Russia, Bad Rabbit ransomware broke into the systems of the Kiev metro, the Odessa airport, and various Russian media outlets. Since then, it has spread to Bulgaria, Turkey, Japan and Poland, and its purge continues. The developers of the win-locker have titled some of the processes with witty names referencing the Game of Thrones series. Like old school villains, today’s cyber criminals like to think they are funny.
In terms of technical characteristics, Bad Rabbit ransomware follows a certain infection pattern. The nefarious program is distributed via fake Adobe Flash Player updates. This is a clever scheme, as this particular program delivers updates on a frequent basis. By now, a lot of people have gotten used to receiving updates often and accept them without giving it too much thought. What’s more, the hackers mediate them through legitimate websites. This is not easy, as domain owners prioritize on security. Allowing their website to be penetrated would leave a bad mark on their reputation. This goes to show that the people behind Bad Rabbit ransomware possess broad knowledgeable in the field. Whenever you receive an update, do a checkup to confirm its reliability. Open your Task Manager to see if the program in question has an update alert process running.
The payload of Bad Rabbit ransomware is stored in a file called install_flash_player.exe. In order for the win-locker to be activated, the user has to run the setup wizard. If you are tricked into doing so, the malevolent program will be given the green light to start operating. Bad Rabbit ransomware performs the encryption with a combination of two ciphers, AES-256-CBC and RSA-2048. Every locked object has the .encrypted file extension appended to its name. After the win-locker has finished encrypting files, it drops a ransom note titled Readme.txt on the desktop. The final operation on the agenda of Bad Rabbit ransomware is to replace the Master Boot Record (MBR) after which it restarts the computer. When your machine is rebooted, you will find your files inaccessible and a message will be waiting for you to tell you what has happened.
The Bad Rabbit Ransomware
The ransom note explains the situation, telling the victim that his files have been encrypted and that he cannot restore them on his own. It also assures him that it is possible to restore them safely. In other words, the cyber criminals advise people to cooperate. In the Readme.txt file, you will find a personal installation key and a link to a Tor website. To access it, you will have to download the Tor browser. The site contains the details about the payment. It lists the ransom as 0.05 Bitcoins. This converts to approximately $300 USD. However, if you fail to pay on time, the price will go up. The time frame for completing the payment and the amount of the increase have yet to be reported.
In the Tor website, there is a field where you have to enter your personal key or your assigned Bitcoin address in order to proceed. The domain hides the geographic coordinates of the cyber criminals. The Bitcoin cryptocurrency contributes to making the money transfer safe. The platforms for trading this digital currency do not allow tracking, even by the people who own them. When you pay the ransom, you should receive a password for unlocking your files. Be advised that there are no guarantees when dealing with cyber criminals. They could collect the ransom money and cease all contact with you. It is best to keep your guard up, so that you would avoid getting infected in the first case. Just in case, you should store a backup of your files. This will enable you to recover any damaged files.
Method 1: Restore your encrypted files using ShadowExplorer
Usually, Bad Rabbit Ransomware deletes all shadow copies, stored in your computer. Luckily, the ransomware is not always able to delete the shadow copies. So your first try should be restoring the original files from shadow copies.
- Download ShadowExplorer from this link: http://www.shadowexplorer.com/downloads.html.
- Install ShadowExplorer
- Open ShadowExplorer and select C: drive on the left panel
- Choose at least a month ago date from the date field
- Navigate to the folder with encrypted files
- Right-click on the encrypted file
- Select “Export” and choose a destination for the original file
Method 2: Restore your encrypted files by using System Restore
- Go to Start –> All programs –> Accessories –> System tools –> System restore
- Click “Next“
- Choose a restore point, at least a month ago
- Click “Next“
- Choose Disk C: (should be selected by default)
- Click “Next“. Wait for a few minutes and the restore should be done.
Method 3: Restore your files using File Recovery Software
If none of the above method works, you should try to recover encrypted files by using File Recovery Software. Since Bad Rabbit Ransomware first makes a copy of the original file, then encrypts it and deletes the original one, you can successfully restore the original, using a File Recovery Software. Here are a few free File Recovery Software programs: