Files Encrypted By Bad Rabbit Can Be Recovered, Researchers Say

With new ransomware programs popping every single day, it is not surprising that a new player called Bad Rabbit has appeared on October 24th. However, this infection seems to be more serious than the usual programs security experts need to deal with on a regular basis. News about Bad Rabbit has been reported around the world because the infection targets both: organizations and individual consumers. It means that the scope of this ransomware program is quite wide, and organizations around the globe have to take all the measures possible to protect themselves from this new threat.

Is Bad Rabbit a new WannaCry?

The year 2017 has seen at least two global ransomware infections that made people realize that the cyber threat risks are real. Those are WannaCry and ExPetr (a.k.a. NotPetya) infections, and security experts believe that Bad Rabbit could be directly related to ExPetr.

Also, some news outlets initially worried that Bad Rabbit might spread as far as the global ransomware infections that appeared a few months ago. However, seeing how it has been almost two weeks since the program’s discovery, we can surely say that this Trojan is not as dangerous as its predecessors.

As far as we have found out, it mostly spreads in Russia, although there have been sightings of the infection in Ukraine, Turkey, and Germany, too. Also, the program clearly targets not only individual users, but organizations, too. According to various news reports, major Russian news outlets (like Interfax and Fontanka.ru) were affected by this Trojan, as well Kiev’s public transport system in Ukraine, and even the Odessa International Airport. Albeit reports suggest that it is not clear yet whether it was really Bad Rabbit that affected their system.

What is the Bad Rabbit infection vector?

We enough proof to assume that systems in various countries were infected with Bad Rabbit through Russian news and media websites. The program uses a drive-by attack to reach the target systems. There are also at least two ways for Bad Rabbit to get installed on a PC. The common method is that the program spreads through legitimate news and media websites that get corrupted by cyber criminals.

As far as individual computers are concerned, there might be no exploit that would automatically run the infection. Users have to execute the installer file themselves for the ransomware program to be installed on their system. It would seem that there is a fake Adobe Flash Installer travelling around, tricking users into running it. They think that it is a new upgrade to their Adobe Flash application, but in reality, by running this fake installer, users install Bad Rabbit on their computers.

Also, when the infection targets corporate systems, it does use an exploit that is called ExternalRomance. This is yet another point where we notice Bad Rabbit’s similarities to ExPetr: the same exploit was used by the latter, too. Aside from that, there are other signs that suggest both ExPetr and Bad Rabbit were created by the same people. Also, both programs use similar codes, but there are significant differences between the two, and those differences allow users to breathe a sigh of relief here.

The Possibility to Recover Files Encrypted by Bad Rabbit

Perhaps the quirkiest piece of information about this infection is that its developers seem to be Game of Thrones fans. How do we know that? Some of the strings in the program’s code have Game of Thrones character names. For instance, all Daenerys dragons are definitely there. Of course, this fact does not change anything, but it does give the infection character.

Either way, the encryption used by Bad Rabbit is the default type of encryption that is employed by most of the ransomware infections. It uses the common AES-128-CBC and RSA-2048 encryption algorithms. The curious thing about this infection is that it cannot encrypt files with the read-only attribute. Also, this is where we encounter the main difference between this program and ExPetr.

ExPetr is a wiper. It means that it encrypts the files on the affected system without the intention to restore them. Bad Rabbit, on the other hand, is a genuine ransomware infection that does leave the decryption option. Computer security researchers have determined that the program does have a Private RSA key that can decrypt the affected files. If the ransom is paid, the key can be sent to the user. As a matter of fact, Bad Rabbit requires the infected users to pay 0.05 Bitcoin or around $280 for the decryption key.

However, security researchers have found at least two flaws in the program’s code. The first flaw allows extracting the password necessary for file decryption, provided someone does that before the malicious process terminates. Of course, you need to be extremely lucky to do that, as well as a professional technician at your side to help you with that. So perhaps that is not the best way out you can use.

Another thing loophole left by Bad Rabbit is the fact that this program does not delete Shadow copies. So if Shadow copies were enabled before the encryption took place and the full disk encryption did not happen, it is possible to restore the original versions of the affected files. For that, yet again, you will have to address a professional technician.

How to Avoid Bad Rabbit?

Some researchers suggest that there is a vaccine from the potential encryption. They say that it should be enough to create a file at C:\Windows\infpub.dat and “remove all write permissions for it.” Supposedly, that should protect computer systems that have not been affected by the ransomware yet. Although if the program is already on your system, there is nothing much you can do.

Therefore, the prevention becomes even more important in this case. Although programs like Bad Rabbit still leaves a small window open and practically allows you to restore your files if you are crafty and resourceful, it does not mean you should keep on trying your luck with that. It is a lot better to employ all the security measures available to avoid such infections in the future. For further information on computer protection and security, please feel free to leave us a comment below.

References:

  1. Dan Goodin. New wave of data-encrypting malware hits Russia and Ukraine. Ars Technica.
  2. Michael Heller. Bad Rabbit ransomware data recovery may be possible. SearchSecurity. TechTarget.
  3. Orkhan Mamedov, Fedor Sinitsyn, Anton Ivanov. Bad Rabbit ransomware. SecureList.
  4. Alex Perekalin. Bad Rabbit: A new ransomware epidemic is on the rise. Kaspersky.
  5. Dale Walker. ‘Bad Rabbit’ ransomware found to be similar to NotPetya. It Pro.