Bad Rabbit Ransomware Virus Removal

Bad Rabbit Ransomware
Written by Adrian Bitterson

The Bad Rabbit Ransomware Virus is expected to be the latest alteration of the Petya ransomware outbreak that has affected many countries.

Ransowmare infections can sometimes be devastating to the victims and they have become a very pressing issue over the past several years in the cyber community. Viruses of this type are developed and released onto the public by the millions each year and security experts are genuinely struggling to stay afloat with this amount of unique samples attacking users worldwide. And most times this struggle is, unfortunately, unsuccessful. So just like tons of other ransomware variants before it, a new version called Bad Rabbit has been encrypting the files of users lately and placing outrageous ransom demands on the screens of their computers.

Not only is this infuriating and unacceptable, but it also denies people access to important files that may be essential to their work or are simply of great sentimental value. Whatever the case, we would like to shed some more light on this phenomenon that is ransomware and provide our readers with more information that may help put a stop to this epidemic. In addition, we have also prepared a step-by-step removal guide for the victims of Bad Rabbit so you can locate and remove the virus from your PC. Furthermore, instructions in the same guide will be provided to attempt the restoration of your files.

Why ransomware seems invincible and why it really isn’t that

Ransomware like Bad Rabbit has become a huge threat for a number of reasons and authorities can’t really do much to put a stop to the enormous rate at which this malware category is evolving and growing in numbers. It’s become a kind of cancer of the internet and once it infects you – there’s little chance of recovery. That is so, because for one, it’s highly difficult to detect. Even the most powerful antivirus programs are often useless when it comes to this type of infections, because they don’t see the encryption process as a threat. Furthermore, with victims unable to intercept the infection, they are left with a bunch of unusable files and a ransom note with demands for money, deadlines and more threats. So, the only options there are to either pay the hackers or try and solve the matter in your own way.

The former possibility is what makes the hackers richer and what stimulates them and others like them to keep on creating ransomware viruses like Bad Rabbit to further benefit from people’s misery. It’s also aided by the fact that most transfers are requested in some cryptocurrency (most often Bitcoin), which in turn ensures that the hackers can never be traced. Moreover, since these are after all cybercriminals, they have no legal, moral or other obligation to send you a decryption key even after they’ve received your money. So why would you trust them to do that? You actually wouldn’t believe the number of people who get burnt like this and lose both their money and their files to the evil hackers behind ransomware.

So, all of the above combined has helped create this image of invincibility around ransomware viruses. And the reality of the matter is that, yes, it is incredibly difficult to deal with the aftermath of an infection. But it’s not impossible. And it’s also very possible to prevent ransomware infections to begin with, if only the average online user were generally better informed about this dangerous threat. Despite being so popular and widespread, most victims only ever discover that viruses like Bad Rabbit exist after they’ve been attacked by one. If we could learn to avoid the most common sources of this and other malware types, the world would be a much happier place and ransomware developers would eventually go out of business.

The most typical means of landing a ransomware infection are usually spam emails or other message types that contain an attached file. Be very critical of any incoming correspondence, especially if you’re not very familiar with the sender. Search for tell-tale signs that could give away a fake or contaminated message and do not interact with its contents, unless you are 100% they’re safe. Also, try to avoid going to shady and otherwise untrustworthy web locations and especially downloading anything from them. Again, use only trustworthy, tested and reliable sources. Last but not least, you can regularly back up your most important work or personal files and keep them stored on a separate drive that is not connected to a computer. That way even if you do get infected, you will have intact copies of whatever the ransomware encrypted on your PC.

Bad Rabbit Ransomware Virus Removal

Prior to starting to execute the steps from the guide, we advise you to either bookmark this page or open it on a separate device since throughout the process of completing the guide, you might need to exit your browser.

1: Restoring basic Windows functionality

Before you are able to remove the Bad Rabbit Ransomware Virus from your computer you need to be able to access it in the first place. Since the ransomware will prevent Windows from booting itself your first job is to repair the Master Boot Records (MBR) of your drive.
To do that you’ll need your original Windows OS DVD (or an USB bootable drive for advanced users)
  1. Insert the DVD (or the USB) into the computer, then run the computer and choose to boot the OS from the DVD/USB. You may have to change Windows boot priorities from the bios by pressing Del
  2. When Windows boots from the DVD/USB select Windows Repair
  3. Open the Command Prompt and write the following commands inside:     enter: bootrec / fixmbr, bootrec / fixboot and bootrec / rebuildbcd
  4. Your Windows OS should now be able to boot normally. You can proceed with the removal of the virus as usual.


2: Spotting the process

Open your Task Manager using the Ctrl + Shift + Esc key combination. Next, go to the processes tab and carefully look through the list for any shady entries. Usually, malicious processes will be consuming large amounts of CPU and RAM and will either have no description or will have a suspicious-looking one.

Once you identify the virus’ process, right-click on it and select Open File Location. Delete everything in the folder that opens if you are sure that the process was malicious. If you are not sure, contact us in the comments.

Go back to the Task Manager and end the potentially harmful process.

3: Hosts file IP’s

Go to your start menu and in the search field, paste the following address: notepad %windir%/system32/Drivers/etc/hosts. Select the first result and look at the bottom of the newly opened notepad file. See if there are any IP’s below “Localhost” and tell us in the comments if there were any IP addresses. 

4: System Configuration Startup Programs

Type System Configuration in the Windows search bar and open the first result. Go to the Startup tab and take a look at the list of startup programs (on Windows 10, the Startup programs can be seen in the Startup Section of the Task Manager). If any of them look shady or have unknown manufacturer or a manufacturer with a sketchy name, uncheck those entries and click on OK.

5: Registry

Open the Run window (WinKey + R), type regedit and press Enter. Once the Registry Editor opens, press Ctrl + F and type the name of the virus. Select Find Next and delete whatever gets found that has the virus’ name. Do that with all search results.

6: Deleting potential virus files

Open the Start Menu and separately type each of the following locations: %AppData% %LocalAppData% %ProgramData% %WinDir% %Temp% . Open each of those folders and sort their contents by date. Delete the most recent files and folders. When you open the Temp folder, delete everything in it.

About the author

Adrian Bitterson

Leave a Comment