Badrabbit Ransomware Removal

Today’s topic is Badrabbit also know as “Bad Rabbit Ransomware” – a kind of a Ransomware virus believed to be the latest offspring of the Petya ransomware virus.

You have probably heard this term. It is about the software that is capable of encrypting your data of all sorts or blocking your screen; after which it tends to blackmail you into paying a ransom in exchange for decrypting data or unblocking the affected screens. All the traits of Badrabbit in particular (and Ransomware as a whole) are meticulously discussed in the passages below. Don’t be hasty and read it carefully because you have come across the most awful cyber threat ever created – a ransom-requesting piece of malware.

Ransomware: typical traits

The manner in which these viruses work is generally common for all of its subcategories, no matter which type of Ransomware you have caught. A ransom is going to be demanded in exchange for undoing what this virus has done to your system and data. If you are dealing with an infection rendered by the file-encrypting versions of Ransomware, the exact category Badrabbit falls into, some of your files will get blocked, and a ransom is likely to be required for setting these files free. In other words, such a virus is capable of making your most valuable data totally inaccessible to you, and you are going to be informed that the only way to access it again is to pay some money to the people blackmailing you – the hackers. As soon as such a program gets into your system, it typically creates a thorough list with all the data that is to be encrypted by scanning your system. We need to say that this is pretty much the worst version of Ransomware since you are likely to lose access to some essential private or work-related data.

The infection you are facing might have been rendered by screen-blocking Ransomware. In this case either the screen of your PC or the displays of your mobile devices (tablets/ smartphones) are going to be blocked. No data is going to become a victim of this software, nonetheless, it will be impossible for you to reach any folder or shortcut, and access your data. Once again, the hackers inform you via an alert that you need to pay a ransom for unlocking your screen. And very rarely Ransomware viruses can be used for punishing hackers. Only in this way may cyber criminals be made to pay fines for violating certain regulations. Certain government agencies use such software for these purposes, even though rather seldom.

Such a terrible virus can be caught in these ways:

The common sources of viruses like Badrabbit are the ones we have made a list of here:

  • Spam emails and their attachments: Ransomware can come inside spam emails. When it comes to this scenario, any Ransomware could come together with a Trojan horse. The Trojan “aids” the Ransomware by finding out about any system/ program vulnerability and letting the Ransomware inside the victim system through such a weakness. The email attachments might also contain this version of malware: even as images and documents, not only the attached .exe files. After that the way the infection works is more or less the same: some encrypting happens and you are supposed to pay for the decryption either of your screen or your files.
  • Fake advertisements, update requests and other pop-ups: Such a virus can automatically come from a contagious ad, update request or pop-up of any kind which could sometimes get displayed on your monitor. If you click on any of these things, even in case that happens accidentally, your computer could catch such a malicious program.
  • File, software and torrent-sharing/ streaming web pages: Even though all web pages may contain malware, the ones that illegally spread/ stream /share movies, software and other torrents are among the most likely to be contagious.

Is there a right choice: to pay or not to pay, when it comes to Badrabbit?

To be completely honest, you need to make a decision yourself. Also, this choice is going to be equally risky whatever you decide to do. Even in case you complete the demanded payment, your data could still never be accessible to you again. Our sincere opinion is that you ought to refrain from paying the hackers and need to try the Removal Guide below first. After that, in case nothing works in your favor, you could consider sending the ransom. We can’t really promise your files will be recovered, but at least you will not be financing cybercriminals.

Badrabbit Ransomware Removal

Prior to starting to execute the steps from the guide, we advise you to either bookmark this page or open it on a separate device since throughout the process of completing the guide, you might need to exit your browser.

1: Restoring basic Windows functionality

Before you are able to remove the Badrabbit Virus from your computer you need to be able to access it in the first place. Since the ransomware will prevent Windows from booting itself your first job is to repair the Master Boot Records (MBR) of your drive.
To do that you’ll need your original Windows OS DVD (or an USB bootable drive for advanced users)
  1. Insert the DVD (or the USB) into the computer, then run the computer and choose to boot the OS from the DVD/USB. You may have to change Windows boot priorities from the bios by pressing Del
  2. When Windows boots from the DVD/USB select Windows Repair
  3. Open the Command Prompt and write the following commands inside:     enter: bootrec / fixmbr, bootrec / fixboot and bootrec / rebuildbcd
  4. Your Windows OS should now be able to boot normally. You can proceed with the removal of the virus as usual.


2: Spotting the process

Open your Task Manager using the Ctrl + Shift + Esc key combination. Next, go to the processes tab and carefully look through the list for any shady entries. Usually, malicious processes will be consuming large amounts of CPU and RAM and will either have no description or will have a suspicious-looking one.

Once you identify the virus’ process, right-click on it and select Open File Location. Delete everything in the folder that opens if you are sure that the process was malicious. If you are not sure, contact us in the comments.

Go back to the Task Manager and end the potentially harmful process.

3: Hosts file IP’s

Go to your start menu and in the search field, paste the following address: notepad %windir%/system32/Drivers/etc/hosts. Select the first result and look at the bottom of the newly opened notepad file. See if there are any IP’s below “Localhost” and tell us in the comments if there were any IP addresses. 

4: System Configuration Startup Programs

Type System Configuration in the Windows search bar and open the first result. Go to the Startup tab and take a look at the list of startup programs (on Windows 10, the Startup programs can be seen in the Startup Section of the Task Manager). If any of them look shady or have unknown manufacturer or a manufacturer with a sketchy name, uncheck those entries and click on OK.

5: Registry

Open the Run window (WinKey + R), type regedit and press Enter. Once the Registry Editor opens, press Ctrl + F and type the name of the virus. Select Find Next and delete whatever gets found that has the virus’ name. Do that with all search results.

6: Deleting potential virus files

Open the Start Menu and separately type each of the following locations: %AppData% %LocalAppData% %ProgramData% %WinDir% %Temp% . Open each of those folders and sort their contents by date. Delete the most recent files and folders. When you open the Temp folder, delete everything in it.

About the author

Adrian Bitterson

Leave a Comment