Notification

Icon
Error

BadRabbit Ransomware Patch - Small patch to effectively prevent BadRabbit ransomware

Posted: Saturday, October 28, 2017 9:56:28 PM(UTC)
mgiljum

mgiljum

Member Original PosterPosts: 17
4
Like
What is BadRabbit?

BadRabbit is ransomware based on Petya/NotPetya, typically spread through fake Adobe Flash updates. Once the fake installer is executed with UAC permissions, it encrypts data on the PC, demands payment of 0.5 Bitcoin and then attempts spreading through the local network by bruteforcing NTLM passwords. You can read an analysis of BadRabbit's code here: https://securelist.com/b...rabbit-ransomware/82851/

What does this installer do?

This installer is a simple batch script which creates two empty files with read-only permissions in the C:\Windows directory that the BadRabbit ransomare would normally create:

"C:\Windows\infpub.dat" - used by BadRabbit to encrypt files and bruteforce NTLM passwords on other networked PCs.
"C:\Windows\infpub.dat" - a DiskCryptor driver, which attempts encrypting entire partitions

By creating empty, non-writable files before-hand, this effectively prevents BadRabbit from successfully executing its payload and child processes. It should work on PCs running Windows XP and up.

Note on Step 1

Step 1 of the installer script checks to see if the files already exists. If this first step fails, it's possible your computer may already be infected. Immediately shut the computer down, and use an offline antivirus tool, or restore your computer from backup to prevent data loss. BadRabbit does not appear to delete Shadow Copies, so it may be possible to restore files using the built-in Windows tools ("Previous Versions" in file properties, or System Restore) once BadRabbit has been removed from the system.
BadRabbit Ransomware PatchDownload Package
DescriptionCreates two empty files with read-only permissions in the C:\Windows directory that the BadRabbit ransomare would normally create. This effectively prevents BadRabbit from successfully infecting the PC even if the payload is downloaded. It should work on PCs running Windows XP and up.

Step 1 checks to see if the files already exists. If this first step fails, it's possible your computer may already be infected. Immediately shut the computer down, and use an offline antivirus tool, or restore your computer from backup to prevent data loss.
Final ActionNothing
Max. Duration15 min(s), 0 hour(s)
RescanNo
Steps
1. Check if files exist
TypeCondition
SuccessStop (Failure)
FailureGo To Next
Conditions
File C:\Windows infpub.dat Exists
File C:\Windows cscc.dat Exists
2. Create patch files
TypeCommand
Return Codes 0
SuccessStop (Success)
FailureStop (Failure)
Command @echo off type nul > "C:\Windows\infpub.dat" attrib +r "C:\Windows\infpub.dat" type nul > "C:\Windows\cscc.dat" attrib +r "C:\Windows\cscc.dat"
Esben.D
#1Charlie.X Member Administration Posts: 2,010  
posted: 10/30/2017 2:22:22 PM(UTC)
Thanks mgiljum! Applause

Active Discussions

Installer Uninstall KB5000802
by  hirogen   Go to last post Go to first unread
Last post: 6/8/2021 2:49:19 PM(UTC)
Installer Freezerworks 2021 Client
by  mzipperer  
Go to last post Go to first unread
Last post: 6/2/2021 11:59:05 PM(UTC)
Installer Install .Net Framework 4.7.2
by  John B Fairbrother   Go to last post Go to first unread
Last post: 5/6/2021 4:58:23 PM(UTC)
Installer Sophos Silent Install
by  Craig  
Go to last post Go to first unread
Last post: 4/14/2021 8:09:58 PM(UTC)
Installer Say what you write
by  RobertoP   Go to last post Go to first unread
Last post: 3/31/2021 1:30:54 PM(UTC)
Installer RDP - enable/disable - add/delete users
by  RobertoP  
Go to last post Go to first unread
Last post: 2/9/2021 11:25:52 AM(UTC)
Installer Microsoft Edge (Chromium) 84.0.522.44
by  PLSJohnJohn   Go to last post Go to first unread
Last post: 1/21/2021 11:46:38 PM(UTC)
Installer Install Tight VNC server
by  RobertoP  
Go to last post Go to first unread
Last post: 12/16/2020 2:48:36 PM(UTC)