→ Celebrate SysAdmin Day 2024 with Lansweeper Enter our Giveaway here

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
mgiljum
Engaged Sweeper III

What is BadRabbit?

BadRabbit is ransomware based on Petya/NotPetya, typically spread through fake Adobe Flash updates. Once the fake installer is executed with UAC permissions, it encrypts data on the PC, demands payment of 0.5 Bitcoin and then attempts spreading through the local network by bruteforcing NTLM passwords. You can read an analysis of BadRabbit's code here: https://securelist.com/bad-rabbit-ransomware/82851/

What does this installer do?

This installer is a simple batch script which creates two empty files with read-only permissions in the C:\Windows directory that the BadRabbit ransomare would normally create:

"C:\Windows\infpub.dat" - used by BadRabbit to encrypt files and bruteforce NTLM passwords on other networked PCs.
"C:\Windows\infpub.dat" - a DiskCryptor driver, which attempts encrypting entire partitions

By creating empty, non-writable files before-hand, this effectively prevents BadRabbit from successfully executing its payload and child processes. It should work on PCs running Windows XP and up.

Note on Step 1

Step 1 of the installer script checks to see if the files already exists. If this first step fails, it's possible your computer may already be infected. Immediately shut the computer down, and use an offline antivirus tool, or restore your computer from backup to prevent data loss. BadRabbit does not appear to delete Shadow Copies, so it may be possible to restore files using the built-in Windows tools ("Previous Versions" in file properties, or System Restore) once BadRabbit has been removed from the system.

1 REPLY 1
Esben_D
Lansweeper Employee
Lansweeper Employee
Thanks mgiljum!

New to Lansweeper?

Try Lansweeper For Free

Experience Lansweeper with your own data.
Sign up now for a 14-day free trial.

Try Now