BadRabbit Ransomware Removal Guide

Do you know what BadRabbit Ransomware is?

BadRabbit Ransomware is one of the nastiest ransomware infections ever detected by our malware researchers because it not only encrypts files it finds on victims’ computers like other ransomware-type infections do, but also goes to edit the Windows Master Boot Record in order to display the ransom note. Specialists say that this infection does not differ much from Petya Ransomware, so they are not surprised at all that it acts the way it does. According to them, this ransomware infection targets not only individual users, but might also cause problems to companies and institutions. For example, Ukraine’s Kiev Subway and Odessa’s Airport have already become victims of this ransomware infection. Researchers suspect that it searches for victims in Eastern European countries primarily, but, of course, we cannot promise that you will not discover it on your computer if you live somewhere else. If you are reading this article because BadRabbit Ransomware has already infiltrated your computer, you need to hurry to delete this infection from your system fully because its main malicious executable has a Scheduled Task and, consequently, it can start working on system startup. What we try to say here is that it will not be enough to reboot the computer to disable this malicious application.

We should first of all talk about the distribution of BadRabbit Ransomware. Specialists say that computer users contribute to the entrance of this malicious application to a great extent by downloading fake Adobe Flash updates. Usually, they are redirected straight to pages claiming that they need to install updates from news websites. If they click the Download button, they download install_flash_player.exe. Once this update package is launched, a file %WINDIR%\infpub.dat is dropped to the computer and executed using the C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat, #1 15 command. Then, two more files (%WINDIR%\cscc.dat and %WINDIR%\dispci.exe) are created. Cscc.dat is a legitimate file used for malicious purposes by BadRabbit Ransomware, whereas the second file dispci.exe is the main malicious executable. It has a Scheduled Task called Rhaegal which executes the command C:\Windows\dispci.exe" -id [id] && exit on startup. Generally speaking, these files are necessary to encrypt victims’ personal files and modify the MBR.BadRabbit Ransomware Removal GuideBadRabbit Ransomware screenshot
Scroll down for full removal instructions

BadRabbit Ransomware encrypts victims’ files using the AES-128 encryption algorithm, and then the AES key is encrypted using RSA-2048. Evidently, this infection makes it impossible to decrypt files without the special decryptor. As the ransom note opened on the screen after the entrance of this ransomware infection instructs users, they need to open the provided .onion link and then pay the ransom of 0.05 BTC in exchange for the decryption tool. Placing the ransom note on the screen and encrypting files are surely not all activities BadRabbit Ransomware performs on victims’ machines. After the successful encryption of files, it also scans the network seeking to find vulnerable computers that could be infected using the Windows SMB (Server Message Block) exploit. Because of this, it might become quite a prevalent threat, our specialists say. Ransomware infections are not those threats that are easy to prevent from entering the system, which is why we recommend that you install a security application on your computer if you do not want to find your pictures, documents, music, and a bunch of other files encrypted again.

It will not be a piece of cake to fully remove BadRabbit Ransomware because you will first need to repair the Master Boot Record yourself. Then, you will need to remove all files dropped by the ransomware infection to your computer and the malicious file launched. You cannot leave any ransomware components on your system because this threat might revive. Therefore, we suggest that you use our step-by-step manual removal instructions. Alternatively, you can fully delete this threat with an automated malware remover after repairing the MBR.

Delete BadRabbit Ransomware

Repair the Master Boot Record

Windows XP

  1. Boot from the Windows XP installation CD.
  2. Press any key when you see Press any key to boot from CD… .
  3. Press R at the Welcome to Setup screen.
  4. Type 1 and hit Enter when you see Which Windows installation would you like to log onto.
  5. Enter the password and press Enter when Type the Administrator password shows up.
  6. Insert fixmbr (press Y and hit Enter if the question Are you sure you want to write a new MBR? is displayed).
  7. Press Enter.
  8. Wait till the process finishes.
  9. Remove CD.
  10. Type exit and press Enter.

Windows Vista

  1. Boot from your Windows Vista installation CD/DVD.
  2. Choose your language and keyboard layout.
  3. Click Repair your computer at the Welcome screen.
  4. Choose the operating system and then click Next.
  5. Click Command Prompt when System Recovery Options appears.
  6. Enter three commands one after another and press Enter after each of them: bootrec /FixMbr, bootrec /FixBoot, and bootrec /RebuildBcd .
  7. Wait till the operation finishes and then remove CD/DVD.
  8. Type exit and hit Enter.

Windows 7

  1. Boot from the Windows 7 installation DVD.
  2. Press any key when you see Press any key to boot from CD or DVD.
  3. Select your language and keyboard layout.
  4. Click Next.
  5. Choose the operating system and click Next (Use recovery tools that can help fix problems starting Windows must be checked when you do this).
  6. Click Command Prompt at the System Recovery Options screen.
  7. Type the following commands one after the other: bootrec /rebuildbcd, bootrec /fixmbr, and bootrec /fixboot (press Enter after each command).
  8. Remove the installation DVD.
  9. Restart your computer.

Windows 8/8.1/10

  1. Boot from the installation DVD.
  2. Click Repair your computer at the Welcome screen.
  3. Click Troubleshoot.
  4. Select Command Prompt.
  5. Type the following commands: bootrec /FixMbr, bootrec /FixBoot, bootrec /ScanOs, and bootrec /RebuildBcd (press Enter after each command).
  6. Remove the DVD.
  7. Type exit and press Enter.
  8. Restart your computer.

Remove malicious files

  1. Press Win+E simultaneously.
  2. Go to %WINDIR% (type the directory in the URL bar at the top and press Enter).
  3. Delete infpub.dat, cscc.dat, and dispci.exe.
  4. Remove the malicious file launched.
  5. Empty Recycle bin.

In non-techie terms:

BadRabbit Ransomware is a sophisticated threat that illegally infiltrates computers with the intention of blocking users’ files. Although it enters computers illegally, users realize that they have encountered malicious software soon because they find the ransom note placed on their screens. You will be told that your files will be fixed if you pay money, but there are no guarantees that this will take place. Also, the ransomware infection will not be removed from your computer even if you make a payment, so keep your money in our pockets and, instead, focus on the ransomware removal.