Kaspersky researchers reported that some users could recover Bad Rabbit encrypted files without paying the ransom.
After infecting a device, the Bad Rabbit ransomware searches for certain file types and encrypts them. The hard disk is also encrypted and when the PC boots, a ransom note appears on the screen, preventing the victim from accessing the operating system.
The disk encryption and bootloader functionality are provided by code derived from a legitimate utility called DiskCryptor.
In June, security experts linked the Bad Rabbit ransomware to the NotPetya attack which caused significant disruptions to many companies. However, unlike NotPetya, which was classified as a wiper due to the fact that victims could not recover their files even if they paid the ransom, the Bad Rabbit encrypted files can be recovered with the right decryption key.
Despite the fact that the encryption mechanisms AES-128-CBC and RSA-2048 cannot be cracked, the researchers from Kaspersky Lab have recently found some methods which may let victims decrypt their disk and recover the encrypted files.
As soon as an infected computer boots up, users are informed that their files have been encrypted and they are instructed to make a payment in order to obtain the password needed for decryption. The same screen also allows victims who have already obtained a password to enter it and boot their system.
The Kaspersky experts found that after being generated, the password needed to boot the system is not wiped from memory, which gives users the opportunity to extract it before the process that creates the password – dispci.exe, is terminated.
According to Kaspersky, being entered, the password boots the system and decrypts the disk, however, there is only a “slim chance” that victims will actually be able to extract the password.
Regarding the files recovering, the researchers noticed that the Bad Rabbit ransomware does not delete shadow copies, which are backups made by Windows. If users enabled this backup functionality before the files were encrypted and the malware’s full disk encryption functionality failed for some reason or the disk is decrypted using the aforementioned method, the encrypted data can be restored via Windows or third-party utilities.
In addition, the Kaspersky experts have confirmed that Bad Rabbit does actually use an NSA-linked exploit to spread, while the earlier reports claimed that no exploits had been observed. The threat uses EternalRomance, which was leveraged by the NotPetya ransomware.
Considering all the similarities so far, the researchers think that the Bad Rabbit attack has been carried out by the same hacker group that launched the NotPetya campaign, known as BlackEnergy, TeleBots and Sandworm Team.