I wrote this article to help you remove Bad Rabbit Ransomware (WINDOWS\INFPUB.DAT). This Bad Rabbit Ransomware (WINDOWS\INFPUB.DAT) removal guide works for all Windows versions.
Bad Rabbit is one of the newest additions to the already huge ransomware family. You have probably heard about this new piece of a virus as it is responsible for numerous infections in Germany, Turkey, Bulgaria, Ukraine, and Russia. Unfortunately, though, you are reading this removal guide article which probably means that you have fallen victim to Bad Rabbit. Of course, you may be reading just out of curiosity. If this is the case, you can consider yourself very, very lucky. Bad Rabbit is dreaded. It is an extremely hazardous infection and if you are currently infected, you are in for tons of issues.
The main module of the infection is the WINDOWS\INFPUB.DAT file. If you find this file in your system, be sure that Bad Rabbit is on board. WINDOWS\INFPUB.DAT is located in your C:\Windows directory, it is run by the rundll32.exe and used to scan devices connected to your Local Network. This feature of the threat is still a work in progress but it will probably be used in its future version. This is a relatively new virus but it is still extremely dangerous, so do not underestimate it. Let`s get into more details.
Once the ransomware enters your machine, it drops the INFPUB.DAT files as well as the main DLL and two malicious apps. Combined, these four elements encrypt your files. Bad Rabbit makes a full scan of your Hard Drive Disk in search mainly for files, you have created yourself. These include your pictures, videos, MS Office files, databases, music, documents, etc. They all get encrypted with a strong encryptions algorithm and you do not have access to any of them anymore. Once the encryption is over, the ransomware drops a note for you. It is called the ransom note and it states that the only way of getting your files back is by purchasing a special key.
The crooks demand 0.05 Bitcoins which equals to around $300 USD. They claim that once you pay, they will send you the decryptor and you will be able to unlock your data. This might be true, yet we strongly suggest that you do not pay. Here is why. First of all, you are dealing with crooks and crooks can never be trusted. They tend to ignore their victims once the ransom is paid. You may receive no decryptor at all. Second, what if the key they give you works only partially or not at all? Then what? You lost your money and didn’t get your files back. Third, even if they give you the key and it works fine, you still have a problem.
The decryptor only removes the encryption, not the infection. Bad Rabbit will remain on your machine ready to strike again any times it decides. Do you now see why paying these people is not an option? You can never win. In order to safely retrieve your data, you have to remove the ransomware first. Then, if you have backups saved on an external device, you can use to recover everything. Whatever you do, do not give these cybercriminals even a cent of your money and do not sponsor their “business”.
How did you end up stuck with Bad Rabbit? Well, the ransomware relies on your carelessness. How does the scheme work? Somehow, you end up on your page, stating that your Flash is not updated and that if you want to see the content of this page, you have to update it now. Conveniently, there is a link provided which you click on and the install_flash_player.exe file gets downloaded on your PC. Then, if you execute it, that’s it.
You execute Bad Rabbit and gave the virus admit privileges. The rest we already explained. This is what we meant by “the virus relies on your carelessness”. Why would you click on a random link to update a program? Use reliable sources only. Don’t give you naivety and haste. It never ends well for you. Do not forget that and do not repeat the same mistake in the future. The only way to protect your PC from infections is always to keep your guard up.
Method 1: Restore your encrypted files using ShadowExplorer
Usually, Bad Rabbit Ransomware (WINDOWS\INFPUB.DAT) deletes all shadow copies, stored in your computer. Luckily, the ransomware is not always able to delete the shadow copies. So your first try should be restoring the original files from shadow copies.
- Download ShadowExplorer from this link: http://www.shadowexplorer.com/downloads.html.
- Install ShadowExplorer
- Open ShadowExplorer and select C: drive on the left panel
- Choose at least a month ago date from the date field
- Navigate to the folder with encrypted files
- Right-click on the encrypted file
- Select “Export” and choose a destination for the original file
Method 2: Restore your encrypted files by using System Restore
- Go to Start –> All programs –> Accessories –> System tools –> System restore
- Click “Next“
- Choose a restore point, at least a month ago
- Click “Next“
- Choose Disk C: (should be selected by default)
- Click “Next“. Wait for a few minutes and the restore should be done.
Method 3: Restore your files using File Recovery Software
If none of the above method works, you should try to recover encrypted files by using File Recovery Software. Since Bad Rabbit Ransomware (WINDOWS\INFPUB.DAT) first makes a copy of the original file, then encrypts it and deletes the original one, you can successfully restore the original, using a File Recovery Software. Here are a few free File Recovery Software programs: