{
	"id": "0ac65ef4-ccdc-4361-8296-80345b5b6b50",
	"created_at": "2026-04-06T00:22:18.562393Z",
	"updated_at": "2026-04-10T03:20:56.22894Z",
	"deleted_at": null,
	"sha1_hash": "38ce07808921d7651d9ffe952e9c45ff13fc55db",
	"title": "Bad Rabbit ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 414577,
	"plain_text": "Bad Rabbit ransomware\r\nBy Orkhan Mamedov\r\nPublished: 2017-10-24 · Archived: 2026-04-05 14:42:11 UTC\r\nUPDATE 27.10.2017. Decryption opportunity assessment. File recovery possibility. Verdicts\r\nWhat happened?\r\nOn October 24th we observed notifications of mass attacks with ransomware called Bad Rabbit. It has been\r\ntargeting organizations and consumers, mostly in Russia but there have also been reports of victims in Ukraine.\r\nHere’s what a ransom message looks like for the unlucky victims:\r\nWhat is Bad Rabbit?\r\nBad Rabbit is a previously unknown ransomware family.\r\nHow is Bad Rabbit distributed?\r\nThe ransomware dropper was distributed with the help of drive-by attacks. While the target is visiting a legitimate\r\nwebsite, a malware dropper is being downloaded from the threat actor’s infrastructure. No exploits were used, so\r\nthe victim would have to manually execute the malware dropper, which pretends to be an Adobe Flash installer.\r\nhttps://securelist.com/bad-rabbit-ransomware/82851/\r\nPage 1 of 16\n\nHowever, our analysis confirmed that Bad Rabbit uses the EternalRomance exploit as an infection vector to spread\r\nwithin corporate networks. The same exploit was used in the ExPetr.\r\nWe’ve detected a number of compromised websites, all of which were news or media websites.\r\nWhom does it target?\r\nMost of the targets are located in Russia. Similar but fewer attacks have also been seen in other countries –\r\nUkraine, Turkey and Germany. Overall, there are almost 200 targets, according to the KSN statistics.\r\nSince when does Kaspersky Lab detect the threat?\r\nWe have been proactively detecting the original vector attack since it began on the morning of October 24. The\r\nattack lasted until midday, although ongoing attacks were detected at 19.55 Moscow time. The server from which\r\nthe Bad rabbit dropper was distributed went down in the evening (Moscow time).\r\nHow is it different to ExPetr? Or it is the same malware?\r\nOur observations suggest that this been a targeted attack against corporate networks, using methods similar to\r\nthose used during the ExPetr attack. What’s more, the code analysis showed a notable similarity between the code\r\nof ExPetr and Bad Rabbit binaries.\r\nTechnical details\r\nAccording to our telemetry, the ransomware is spread via a drive-by attack.\r\nThe ransomware dropper is distributed from hxxp://1dnscontrol[.]com/flash_install.php\r\nhttps://securelist.com/bad-rabbit-ransomware/82851/\r\nPage 2 of 16\n\nAlso according to our telemetry data, victims are redirected to this malware web resource from legitimate news\r\nwebsites.\r\nThe downloaded file named install_flash_player.exe needs to be manually launched by the victim. To operate\r\ncorrectly, it needs elevated administrative privileges which it attempts to obtain using the standard UAC prompt. If\r\nstarted, it will save the malicious DLL as C:Windowsinfpub.dat and launch it using rundll32.\r\nhttps://securelist.com/bad-rabbit-ransomware/82851/\r\nPage 3 of 16\n\nPseudocode of the procedure that installs the malicious DLL\r\ninfpub.dat appears to be capable of brute-forcing NTLM login credentials to Windows machines that have\r\npseudo-random IP addresses.\r\nhttps://securelist.com/bad-rabbit-ransomware/82851/\r\nPage 4 of 16\n\nThe hard-coded list of credentials\r\ninfpub.dat will also install the malicious executable dispci.exe into C:Windows and create a task to launch it.\r\nPseudocode of the procedure that creates the task which launches the malicious executable\r\nWhat’s more, infpub.dat acts as a typical file encrypting ransomware: it finds the victim’s data files using an\r\nembedded extension list and encrypts them using the criminal’s public RSA-2048 key.\r\nhttps://securelist.com/bad-rabbit-ransomware/82851/\r\nPage 5 of 16\n\nThe public key of the criminals and the extension list\r\nThe criminal’s public key parameters:\r\nPublic-Key: (2048 bit)\r\nModulus:\r\n00:e5:c9:43:b9:51:6b:e6:c4:31:67:e7:de:42:55:\r\n6f:65:c1:0a:d2:4e:2e:09:21:79:4a:43:a4:17:d0:\r\n37:b5:1e:8e:ff:10:2d:f3:df:cf:56:1a:30:be:ed:\r\n93:7c:14:d1:b2:70:6c:f3:78:5c:14:7f:21:8c:6d:\r\n95:e4:5e:43:c5:71:68:4b:1a:53:a9:5b:11:e2:53:\r\na6:e4:a0:76:4b:c6:a9:e1:38:a7:1b:f1:8d:fd:25:\r\n4d:04:5c:25:96:94:61:57:fb:d1:58:d9:8a:80:a2:\r\n1d:44:eb:e4:1f:1c:80:2e:e2:72:52:e0:99:94:8a:\r\n1a:27:9b:41:d1:89:00:4c:41:c4:c9:1b:0b:72:7b:\r\n59:62:c7:70:1f:53:fe:36:65:e2:36:0d:8c:1f:99:\r\n59:f5:b1:0e:93:b6:13:31:fc:15:28:da:ad:1d:a5:\r\nf4:2c:93:b2:02:4c:78:35:1d:03:3c:e1:4b:0d:03:\r\n8d:5b:d3:8e:85:94:a4:47:1d:d5:ec:f0:b7:43:6f:\r\n47:1e:1c:a2:29:50:8f:26:c3:96:d6:5d:66:36:dc:\r\n0b:ec:a5:fe:ee:47:cd:7b:40:9e:7c:1c:84:59:f4:\r\n81:b7:5b:5b:92:f8:dd:78:fd:b1:06:73:e3:6f:71:\r\n84:d4:60:3f:a0:67:06:8e:b5:dc:eb:05:7c:58:ab:\r\n1f:61\r\nExponent: 65537 (0x10001)\r\nThe executable dispci.exe appears to be derived from the code base of the legitimate utility DiskCryptor. It acts as\r\nthe disk encryption module which also installs the modified bootloader and prevents the normal boot-up process\r\nof the infected machine.\r\nAn interesting detail that we noticed when analyzing the sample of this threat: it looks like the criminals behind\r\nthis malware are fans of the famous books \u0026 TV show series Game Of Thrones. Some of the strings used\r\nthroughout the code are the names of different characters from this series.\r\nhttps://securelist.com/bad-rabbit-ransomware/82851/\r\nPage 6 of 16\n\nDragon names from Game Of Thrones\r\nCharacter name from Game Of Thrones\r\nEncryption scheme\r\nAs we mentioned, the Bad Rabbit ransomware encrypts a victim’s files and disk. Files are encrypted with the\r\nfollowing algorithms:\r\n1. 1 AES-128-CBC\r\n2. 2 RSA-2048\r\nIt is a default encryption scheme for ransomware.\r\nhttps://securelist.com/bad-rabbit-ransomware/82851/\r\nPage 7 of 16\n\nAn interesting fact is that the ransomware enumerates all running processes and compares the hashed name of\r\neach process with embedded hash values. It is important to mention that the hashing algorithm is similar to the\r\nExPetr one.\r\nComparing of Bad Rabbit and ExPetr hashing routines\r\nSpecial branch\r\nhttps://securelist.com/bad-rabbit-ransomware/82851/\r\nPage 8 of 16\n\nRuntime flags initialization routine\r\nThe full list of embedded hashes of process names:\r\nHash Process name\r\n0x4A241C3E dwwatcher.exe\r\nhttps://securelist.com/bad-rabbit-ransomware/82851/\r\nPage 9 of 16\n\n0x923CA517 McTray.exe\r\n0x966D0415 dwarkdaemon.exe\r\n0xAA331620 dwservice.exe\r\n0xC8F10976 mfevtps.exe\r\n0xE2517A14 dwengine.exe\r\n0xE5A05A00 mcshield.exe\r\nThe partitions on the victim’s disks are encrypted with the help of the DiskCryptor driver dcrypt.sys (which is\r\ninstalled into C:Windowscscc.dat). The ransomware sends the necessary IOCTL codes to this driver. Some\r\nfunctions are taken as is from the sources of DiskCryptor (drv_ioctl.c), others seem to be implemented by the\r\nmalware developers.\r\nThe disk partitions on the infected machine are encrypted by the DiskCryptor driver using the AES cipher in XTS\r\nmode. The password is generated by dispci.exe using the WinAPI function CryptGenRandom and has a length of\r\n32 symbols.\r\nDecryption opportunity assessment\r\nUnlike ExPetr, the evidence suggests that Bad Rabbit is not intended as a wiper. Previously, in our article we\r\nwrote that the threat actors behind ExPetr were technically unable to decrypt MFT that was encrypted with the\r\nGoldenEye component. In the case of Bad Rabbit, however, the malware algorithm suggests that the threat actors\r\nhave the technical means to decrypt the password necessary for disk decryption.\r\nThe data shown on the screen of an infected machine as “personal installation key#1” is an encrypted by RSA-2048 and base64-encoded binary structure that contains the following information gathered from the infected\r\nsystem:\r\nThe threat actors can use their own private RSA key to decrypt this structure. After decryption they can send this\r\ninformation to the victim.\r\nPlease note that, despite what it says in other vendors’ reports, the value of the id field which is passed to\r\ndispci.exe is just a 32-bit number used to distinguish different infected machines, and not the AES key\r\nwhich is used for disk encryption.\r\nhttps://securelist.com/bad-rabbit-ransomware/82851/\r\nPage 10 of 16\n\nAs part of our analysis, we extracted the password generated by the malware during a debugging session and\r\nattempted to enter this password when the system was locked after reboot. The password indeed worked and the\r\nboot-up process continued.\r\nUnfortunately, we have to conclude that at this point there’s no way to decrypt disk and victim files without the\r\nthreat actor’s RSA-2048 private key. The symmetric encryption keys are securely generated on the ransomware\r\nside which makes attempts to guess the keys unfeasible in practice.\r\nHowever, we found a flaw in the code of dispci.exe: the malware doesn’t wipe the generated password from the\r\nmemory, which means that there is a slim chance to extract it before the dispci.exe process terminates. In the\r\npicture below, note that while the variable dc_pass (which will be passed to the driver) is securely erased after use,\r\nthat’s not the case for the variable rand_str which holds the original copy of the password.\r\nhttps://securelist.com/bad-rabbit-ransomware/82851/\r\nPage 11 of 16\n\nPseudocode of the procedure that generates the password and encrypts the disk partitions\r\nFile encryption\r\nAs we wrote before, the trojan uses a common file encryption scheme. It generates a random 32-bytes-length\r\nstring and uses it in the key derivation algorithm. Unfortunately, the trojan uses the CryptGenRandom function\r\nwhen generating this string.\r\nhttps://securelist.com/bad-rabbit-ransomware/82851/\r\nPage 12 of 16\n\nKey derivation algorithm\r\nThe encrypted password, along with information about the infected system is written into Readme file as\r\n“personal installation key#2”.\r\nhttps://securelist.com/bad-rabbit-ransomware/82851/\r\nPage 13 of 16\n\nRansom note creation routine\r\nAn interesting fact is that the trojan cannot encrypt files which have a Read-only attribute.\r\nFile recovery possibility\r\nWe have discovered that Bad Rabbit does not delete shadow copies after encrypting the victim’s files. It means\r\nthat if the shadow copies had been enabled prior to infection and if the full disk encryption did not occur for some\r\nreason, then the victim can restore the original versions of the encrypted files by the means of the standard\r\nWindows mechanism or 3rd-party utilities.\r\nhttps://securelist.com/bad-rabbit-ransomware/82851/\r\nPage 14 of 16\n\nShadow copies remain unharmed by Bad Rabbit\r\nRecommendations\r\nKaspersky Lab corporate customers are also advised to:\r\nmake sure that all protection mechanisms are activated as recommended; and that KSN and System\r\nWatcher components (which are enabled by default) are not disabled.\r\nupdate the antivirus databases immediately.\r\nThe abovementioned measures should be sufficient. However, as additional precautions we advise the following:\r\nrestricting execution of files with the paths c:windowsinfpub.dat and C:Windowscscc.dat in Kaspersky\r\nEndpoint Security.\r\nconfiguring and enabling Default Deny mode in the Application Startup Control component of Kaspersky\r\nEndpoint Security to ensure and enforce proactive defense against this and other attacks.\r\nKaspersky Lab products detect this threat with the following verdicts:\r\nTrojan-Ransom.Win32.Gen.ftl\r\nTrojan-Ransom.Win32.BadRabbit\r\nDangerousObject.Multi.Generic\r\nPDM:Trojan.Win32.Generic\r\nIntrusion.Win.CVE-2017-0147.sa.leak\r\nhttps://securelist.com/bad-rabbit-ransomware/82851/\r\nPage 15 of 16\n\nIOCs:\r\nhttp://1dnscontrol[.]com/\r\nfbbdc39af1139aebba4da004475e8839 – install_flash_player.exe\r\n1d724f95c61f1055f0d02c2154bbccd3 – C:Windowsinfpub.dat\r\nb14d8faf7f0cbcfad051cefe5f39645f – C:Windowsdispci.exe\r\nSource: https://securelist.com/bad-rabbit-ransomware/82851/\r\nhttps://securelist.com/bad-rabbit-ransomware/82851/\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://securelist.com/bad-rabbit-ransomware/82851/"
	],
	"report_names": [
		"82851"
	],
	"threat_actors": [],
	"ts_created_at": 1775434938,
	"ts_updated_at": 1775791256,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/38ce07808921d7651d9ffe952e9c45ff13fc55db.pdf",
		"text": "https://archive.orkl.eu/38ce07808921d7651d9ffe952e9c45ff13fc55db.txt",
		"img": "https://archive.orkl.eu/38ce07808921d7651d9ffe952e9c45ff13fc55db.jpg"
	}
}