Bad Rabbit ransomware

A new variant of Petya that hit hard around the globe in June has shown up in Russia and the Ukraine. This one is called Bad Rabbit and it is already wreaking havoc by encrypting hundreds of computer systems.

bad rabbit ransomware

Bad Rabbit can use SMB to move across a network like Petya could. But researchers say a lot of the code appears to have been rewritten. Bad Rabbit also attempts to extract credentials from infected systems.

After being infected the Victims are sent to a random page in order to buy their files back.

Inoculation Option

I have been told by a network guy at work there may be an inoculation option like there was for Petya. But it is still too early to be 100% sure. It appears if you create 2 files and set them to deny for changes then Bad Rabbit will bypass the computer.

Here is a batch script for doing this.

REM Prevents Bad Rabbit Ransomware
REM Vaccine by Amit Serper @0xAmit
REM I added a line that removes inheritance from the command line instead of editing via the GUI

REM Creates infpub.dat and cscc.dat in the C:\Windows directory
echo > C:\Windows\infpub.dat && echo > C:\Windows\cscc.dat

REM Removes inheritance from previously created files
icacls C:\Windows\infpub.dat /inheritance:d && icacls C:\Windows\cscc.dat /inheritance:d

Although there is some debate if the /inheritance:d should be /inheritance:r

e – Enable inheritance
d – Disable inheritance and copy the ACEs
r – Remove all inherited ACEs

I am not sure were the source of this info is from but I will be happy to give credit if someone can inform me.

Prevent Ransomware

I have a post on preventing ransomware that still applies for this new attack and I would encourage everyone to read it.


Leave a Reply

Your email address will not be published. Required fields are marked *