Good news for all Bad Rabbit ransomware victims – technical Bad Rabbit ransomware analysis by Kaspersky[1] revealed that the malware has several flaws allowing victims to recover their files for free.
At first, it seemed that the updated variant of NotPetya is a polished data-encrypting virus that combines AES-128-CBC and RSA-2048 ciphers, but further analysis revealed that its source code actually contains a few mistakes.
It appears that the infamous ransomware that first hit Russian and Ukrainian computer users on October 24th had a flaw in its source code – it didn’t contain a function to delete Volume Shadow Copies, which can be used to restore files damaged by malicious programs.
However, data recovery is possible with one condition. It has to fail to perform the full disk encryption. It means that the virus has to be interrupted and fail to complete all tasks correctly.
Bad Rabbit, unlike NotPetya, is not a wiper
Since malware analysts have already found links between NotPetya (also known as ExPetr) and Bad Rabbit,[2] they also accentuated the differences between these two viruses. According to experts, the new ransomware is an improved variant of the Petya virus that shook the virtual community in June 2017. The virus used in the June 27th cyber attack turned out to be a wiper, whereas Bad Rabbit[3] functions as a data-encrypting ransomware.
It turns out that the source code of DiskCoder.D[4] (Bad Rabbit) is built with the intention to have access to the decryption password used for disk corruption.
After encoding victim’s files, the ransomware changes Master Boot Record and restarts the computer to display a ransom note with a “personal installation key#1” on the screen. This key is encoded using RSA-2048 and base64-encrypted binary structure. This structure holds certain types of information about victim’s computer.
However, the ID isn’t the AES key used to encrypt the data on the disk and only works as an identifier for different compromised PCs.
Researchers from Kaspersky state that they extracted the password created by malware during debugging session and entered it below the “personal installation key#1.” The password unlocked the system and allowed it to start. However, files encrypted on victim’s folders remained unreachable.
To decrypt them, a unique RSA-2048 key is required. It must be said that the symmetric encryption keys are created separately, making it impossible to guess them. Attempts to brute-force them would take ages, too.
Besides, experts discovered a mistake in the dispci.exe process used by the virus. It appears that the virus does not delete the generated password from memory, so the recovery of it before the process terminates itself is possible. Unfortunately, this is hardly possible in real-life situations because victims tend to reboot their computers a few times.
Prevention is the best approach to controlling your data security
Cybersecurity experts say that these findings only give a slight chance to recover encrypted files. Also, they warn that any type of ransomware is extremely hazardous and the only way to keep your data protected is to try your hardest to keep such viruses away. Therefore, our team has prepared a short how-to on keeping your system protected against Bad Rabbit or similar ransomware attack:
- Install a reliable security software and install updates for it in time;
- Create a data backup;
- Consider creating your own “vaccine[5]” for Bad Rabbit ransomware;
- Avoid clicking on fake pop-ups urging you to install software updates. As you probably know, the described virus infected thousands of victims by pushing fake Adobe Flash Player updates via compromised websites.
- Remember that you can only rely on software updates provided by the official developer of the software!