→ 🚀What's New? Join Us for the Fall Product Launch! Register Now !
‎10-28-2017 10:56 PM - last edited on ‎07-04-2023 05:24 PM by ErikT
What is BadRabbit?
BadRabbit is ransomware based on Petya/NotPetya, typically spread through fake Adobe Flash updates. Once the fake installer is executed with UAC permissions, it encrypts data on the PC, demands payment of 0.5 Bitcoin and then attempts spreading through the local network by bruteforcing NTLM passwords. You can read an analysis of BadRabbit's code here: https://securelist.com/bad-rabbit-ransomware/82851/
What does this installer do?
This installer is a simple batch script which creates two empty files with read-only permissions in the C:\Windows directory that the BadRabbit ransomare would normally create:
"C:\Windows\infpub.dat" - used by BadRabbit to encrypt files and bruteforce NTLM passwords on other networked PCs.
"C:\Windows\infpub.dat" - a DiskCryptor driver, which attempts encrypting entire partitions
By creating empty, non-writable files before-hand, this effectively prevents BadRabbit from successfully executing its payload and child processes. It should work on PCs running Windows XP and up.
Note on Step 1
Step 1 of the installer script checks to see if the files already exists. If this first step fails, it's possible your computer may already be infected. Immediately shut the computer down, and use an offline antivirus tool, or restore your computer from backup to prevent data loss. BadRabbit does not appear to delete Shadow Copies, so it may be possible to restore files using the built-in Windows tools ("Previous Versions" in file properties, or System Restore) once BadRabbit has been removed from the system.
‎10-30-2017 02:22 PM
Experience Lansweeper with your own data. Sign up now for a 14-day free trial.
Try Now