Infected with Bad Rabbit Ransomware? Need to decrypt your files?

What is Bad Rabbit Ransomware

Bad Rabbit is new wide-spread ransomware, that uses RSA-2048 and AES cryptography. It doesn’t append any extensions and creates Readme.txt file with instructions to pay the ransom. It mostly targets enterprises in Eastern Europe. Security experts claim, that Bad Rabbit is related to previously distributed Petya и NotPetya viruses. Currently, several governmental institutions and banks were attacked by this virus in Russia, Ukraine, Turkey, Germany. Hackers demand ransom of 0.05 BTC (BitCoins), which is ~280$ and threaten to increase this amount if not paid within certain time gap. We strongly recommend not to send money, as in most cases malefactors do not send keys. Currently, there are NO decryptors released to decrypt files encrypted by Bad Rabbit. However, in this articles we describe complete process to remove Bad Rabbit ransomware, immune your PC and decrypt your files in various operating systems.

Update: Use following service to identify the version and type of ransomware you were attacked by: ID Ransomware. Also check following website for possible decryptor: Emsisoft Decryptors.

bad rabbit virus block screen
bad rabbit ransomware payment page

How Bad Rabbit Ransomware infected your PC

Bad Rabbit Ransomware mostly distributes as Flash Player update and can be downloaded as file: install_flash_player.exe. After this virus unpacks several files (C:\Windows\dispci.exe, C:\windows\infpub.dat, C:\Windows\cscc.dat) in system folder. Process (dispci.exe) and driver files (infpub.dat, cscc.dat) are used to modify Master Boot Record (MBR). After this Bad Rabbit initiates system reboot and starts encryption process. Antiviruses have a small chance to catch Bad Rabbit Ransomware virus as it is constantly modified. The only way to protect your computer from such threats is use antiviruses with crypto-protection like HitmanPro.Alert with CryptoGuard.

What to do if you are infected with Bad Rabbit Ransomware virus?

First of all don’t panic. Follow these easy steps below.

1. Start your computer in Safe Mode with networking. To do that, restart your computer, before your system starts hit F8 several times. This will stop system from loading and will show Advanced boot options screen. Choose Safe mode with networking option from the options list using up and down arrows on your keyboard and hit Enter.
2. Log in to the system infected with the Bad Rabbit Ransomware virus. Launch your Internet browser and download a reliable anti-malware program and start a full system scan. Once the scan is complete, review scan results and remove all entries detected.

Recommended Solution:

Norton is a powerful removal tool. It can remove all instances of newest viruses, similar to Bad Rabbit Ransomware – files, folders, registry keys.

 

Download Norton*Trial version of Norton provides detection of computer viruses for FREE. To remove malware, you have to purchase the full version of Norton.

Step 2: Remove following files and folders of Bad Rabbit Ransomware:

Remove following registry entries:

no information

Remove following files:

Ykcol.html
Ykcol_[4_random_characters].html
Ykcol.bmp

How to decrypt files infected by Bad Rabbit Ransomware (your files)?

Use automated decryption tools

1. Ykcol decryption tool from Kaspersky

kaspersky rakhni decryptor for .Bad Rabbit Ransomware

There is ransomware decryptor from Kaspersky that can decrypt your files. It is free and may help you restore your files encrypted by Vegclass Ransomware virus. Download it here:

Download Kaspersky RakhniDecryptor

1. Ykcol decryption tool from Trend Micro

trendmicro Bad Rabbit Ransomware decryptor

There is ransomware decryptor from Trend Micro that may decrypt your files. It is free and may help you restore files encrypted by Bad Rabbit Ransomware. Download it here:

Download Trend Micro Ransomware File Decryptor

There is currently no other automated decryption tool for Bad Rabbit Ransomware files, but that doesn’t mean that you need to pay the ransom. We track the topic and will add any new decryption tool available in this part of the article. Now you can try to use manual methods to restore and decrypt your files.

Decrypt your files manually

Restore the system using System Restore

system restore

Although, latest versions of Bad Rabbit Ransomware remove system restore files, this method may help you partially restore your files. Give it a try and use standard System Restore to revive your data.

  1. Initiate the search for ‘system restore
  2. Click on the result
  3. Choose the date before the infection appearance
  4. Follow the on-screen instructions

Roll the files back to the previous version

Previous versions can be copies of files and folders created by Windows Backup (if it is active) or copies of files and folders created by System Restore. You can use this feature to restore files and folders that you accidentally modified or deleted, or that were damaged (in our case – encrypted by Bad Rabbit Ransomware). This feature is available in Windows 7 and later versions.

windows previous versions

  1. Right-click the file and choose Properties
  2. Open the Previous Version tab
  3. Select the latest version and click Copy
  4. Click Restore

You may find more detailed information about antivirus products in our article – Top 5 Antivirus Software for Windows

Restore your files using shadow copies

shadow explorer gui

  1. Download and run Shadow Explorer.
  2. Select the drive and folder where your files are located and date that you want to restore them from.
  3. Right-click on folder you want to restore and select Export.
  4. Once the scanning process is done, click Recover to restore your files.

Protect your computer from ransomware

hitmanpro alert with cryptoguard

Most modern antiviruses can protect your PC from ransomware and crypto-trojans, but thousands of people still get infected. There are several programs that use different approach t protect from ransomware and lockers. One of the best is HitmanPro.Alert with CryptoGuard. You may already know HitmanPro as famous cloud-based anti-malware scanner. Check out ultimate active protection software from SurfRight.

Download HitmanPro.Alert with CryptoGuard

Information provided by: Alexey Abalmasov

Leave a Reply

Your email address will not be published. Required fields are marked *