Notification

Icon
Error

BadRabbit Ransomware Patch - Small patch to effectively prevent BadRabbit ransomware

Posted: Saturday, October 28, 2017 9:56:28 PM(UTC)
mgiljum

mgiljum

Member Original PosterPosts: 17
4
Like
What is BadRabbit?

BadRabbit is ransomware based on Petya/NotPetya, typically spread through fake Adobe Flash updates. Once the fake installer is executed with UAC permissions, it encrypts data on the PC, demands payment of 0.5 Bitcoin and then attempts spreading through the local network by bruteforcing NTLM passwords. You can read an analysis of BadRabbit's code here: https://securelist.com/b...rabbit-ransomware/82851/

What does this installer do?

This installer is a simple batch script which creates two empty files with read-only permissions in the C:\Windows directory that the BadRabbit ransomare would normally create:

"C:\Windows\infpub.dat" - used by BadRabbit to encrypt files and bruteforce NTLM passwords on other networked PCs.
"C:\Windows\infpub.dat" - a DiskCryptor driver, which attempts encrypting entire partitions

By creating empty, non-writable files before-hand, this effectively prevents BadRabbit from successfully executing its payload and child processes. It should work on PCs running Windows XP and up.

Note on Step 1

Step 1 of the installer script checks to see if the files already exists. If this first step fails, it's possible your computer may already be infected. Immediately shut the computer down, and use an offline antivirus tool, or restore your computer from backup to prevent data loss. BadRabbit does not appear to delete Shadow Copies, so it may be possible to restore files using the built-in Windows tools ("Previous Versions" in file properties, or System Restore) once BadRabbit has been removed from the system.
BadRabbit Ransomware PatchDownload Package
DescriptionCreates two empty files with read-only permissions in the C:\Windows directory that the BadRabbit ransomare would normally create. This effectively prevents BadRabbit from successfully infecting the PC even if the payload is downloaded. It should work on PCs running Windows XP and up.

Step 1 checks to see if the files already exists. If this first step fails, it's possible your computer may already be infected. Immediately shut the computer down, and use an offline antivirus tool, or restore your computer from backup to prevent data loss.
Final ActionNothing
Max. Duration15 min(s), 0 hour(s)
RescanNo
Steps
1. Check if files exist
TypeCondition
SuccessStop (Failure)
FailureGo To Next
Conditions
File C:\Windows infpub.dat Exists
File C:\Windows cscc.dat Exists
2. Create patch files
TypeCommand
Return Codes 0
SuccessStop (Success)
FailureStop (Failure)
Command @echo off type nul > "C:\Windows\infpub.dat" attrib +r "C:\Windows\infpub.dat" type nul > "C:\Windows\cscc.dat" attrib +r "C:\Windows\cscc.dat"
Esben.D
#1Charlie.X Member Administration Posts: 2,010  
posted: 10/30/2017 2:22:22 PM(UTC)
Thanks mgiljum! Applause

Active Discussions

Lansweeper Laptop warranty include users from active directory filtered by OU
by  Iyad   Go to last post Go to first unread
Last post: Yesterday at 11:09:27 PM(UTC)
Lansweeper Exclude Search
by  pryan67  
Go to last post Go to first unread
Last post: Yesterday at 4:01:43 PM(UTC)
Lansweeper Report: All Apple Mac devices with Memory RAM asset
by  gabrielo   Go to last post Go to first unread
Last post: Yesterday at 3:17:24 PM(UTC)
Lansweeper Does technical support for LS really respond?
by  tosch  
Go to last post Go to first unread
Last post: Yesterday at 12:48:50 PM(UTC)
Lansweeper Deployment packages using lsagent
by  CyberCitizen   Go to last post Go to first unread
Last post: 6/15/2021 11:44:33 PM(UTC)
Lansweeper INFO DateTimeService time refresh
by  ZachO21  
Go to last post Go to first unread
Last post: 6/15/2021 4:23:15 PM(UTC)
Lansweeper Helpdesk tabs always regenarated
by  Carla   Go to last post Go to first unread
Last post: 6/14/2021 9:49:27 PM(UTC)
Lansweeper Importing with user relations
by  teddyh2o  
Go to last post Go to first unread
Last post: 6/14/2021 6:05:46 PM(UTC)