I wrote this article to help you remove Cscc.dat (Bad Rabbit Ransomware). This Cscc.dat (Bad Rabbit Ransomware) removal guide works for all Windows versions.

Cscc.dat is a malicious file associated to Bad Rabbit ransomware. The win-locker was uncovered on October 24 by researchers at Kaspersky Labs. Subsequently, it was discovered that the developers of the clandestine program leverage an exploit linked to the U.S. National Security Agency (NSA). The vulnerability, known as EternalRomance, was first reported by Microsoft in March. Further details about it were disclosed by the hacker group Shadow Brokers in April. According to Kaspersky Labs researcher Costin Raiu, Bad Rabbit ransomware had been waiting to pounce since at least July. The attack is now a reality.

The win-locker is distributed via fake updates for Adobe Flash Player. The bogus requests can easily pass as real for a couple of reasons. To begin with, this media player is known for releasing frequent updates. Furthermore, the hackers display them through legitimate websites. You should confirm the reliability of all messages which require you to take certain action. They could be a trap. Fraud artists are constantly devising new ways to trick users. Even if you have agreed to the update, there is still a chance to redeem yourself. The payload of Bad Rabbit ransomware is stored within a setup file titled install_flash_player.exe. The virus requires you to manually execute it in order to gain access to your machine.

Upon entering a target computer, Bad Rabbit ransomware utilizes the Server Message Block (SMB) protocol to spread within the network. The next step is to create a couple of files, the aforementioned cscc.dat and dispci.exe. They enable the sinister program to modify the Master Boot Record (MBR) and restart the system after the encryption has been completed. To encrypt files, the virus deploys a combination of AES-256-CBC and RSA-2048 ciphers. Research has revealed that it targets 113 file types. This encompasses text documents, databases, archives, graphics, videos, audios, logs, scripts, and others. Bad Rabbit ransomware adds the .encrypted suffix to the names of all infected files. The final operation is to reboot the system.

When your computer restarts, the landscape will illustrate the consequences. Bad Rabbit ransomware makes sure that the victim will find the cause of the problem. It places a ransom note on the desktop titled Readme.txt. The message notifies users that their files have been encrypted and tells them what they are required to do. According to the note, you cannot recover your files your own, but you can have them restored by submitting a payment. You will find a personal installation key and a link to a website which you have to visit. The website is hosted on the Tor network which means you need to download the Tor browser in order to access it.

The domain reveals how much the victim is required to pay and how to complete the transaction. The developers of Bad Rabbit ransomware have set the ransom at 0.05 Bitcoins. This converts to roughly $300 USD. There is a deadline for paying this sum. If you miss it, the ransom will go up. Since Bad Rabbit ransomware has only been around for a short time period, it has yet to be reported how much the ransom increases and how long the deadline is. What we do know about the win-locker is that its range of distribution is widening. The first reported cases were in Ukraine and Russia. The virus had penetrated the computer systems of the Kiev metro station, the Odessa Airport, and several Russian media outlets. Later, it spread to Bulgaria, Poland, Turkey, and Japan.

The creators of Bad Rabbit ransomware have taken the necessary precautions to avoid getting caught. As previously stated, the payment website is hosted on the Tor network. This network was created to allow people to surf the web anonymously. Thus, the geographic coordinates of the hackers are kept hidden. The Bitcoin cryptocurrency makes online transactions seamless. It is impossible to trace the cash flow to the bank account of the cyber criminals. They may promise you that your files would be restored once you pay the ransom, but there is no guarantee in any form. What you can do to prevent data loss in the case of ransomware attacks is to store backups of your files.

Cscc.dat (Bad Rabbit Ransomware) Removal

Method 1: Restore your encrypted files using ShadowExplorer
Usually, Cscc.dat (Bad Rabbit Ransomware) deletes all shadow copies, stored in your computer. Luckily, the ransomware is not always able to delete the shadow copies. So your first try should be restoring the original files from shadow copies.

1. Download ShadowExplorer from this link: http://www.shadowexplorer.com/downloads.html.
2. Install ShadowExplorer
3. Open ShadowExplorer and select C: drive on the left panel
4. Choose at least a month ago date from the date field
5. Navigate to the folder with encrypted files
6. Right-click on the encrypted file
7. Select “Export” and choose a destination for the original file

Method 2: Restore your encrypted files by using System Restore

1. Go to Start –> All programs –> Accessories –> System tools –> System restore
2. Click “Next“
3. Choose a restore point, at least a month ago
4. Click “Next“
5. Choose Disk C: (should be selected by default)
6. Click “Next“. Wait for a few minutes and the restore should be done.

Method 3: Restore your files using File Recovery Software
If none of the above method works, you should try to recover encrypted files by using File Recovery Software. Since Cscc.dat (Bad Rabbit Ransomware) first makes a copy of the original file, then encrypts it and deletes the original one, you can successfully restore the original, using a File Recovery Software. Here are a few free File Recovery Software programs:

1. Recuva
2. Puran File Recovery
3. Disk Drill
4. Glary Undelete