How to remove BadRabbit virus and restore encrypted files

BadRabbit вирус


This article can help you to remove ransomware virus called BadRabbit that infected computers all over the world, but mostly in Russia, Turkish and Germany. BadRabbit is a new modification of Petya virus (according to ESET and Group-IB specialists). Petya attacked English-speaker users by using Windows vulnerability. To fix this issue, Microsoft specialists did MS17-010 update patch for Windows 7 and even for Windows XP. Bad Rabbit attacked Russian internet newspapers like Interfax, Ukraine railway stations and airports. Yesterday, ransomware tried to corrupt banking system. The infection of malware was connected with hacked legitimate websites.

Usually, ransomware infects machines with help of most effective manner: fraud messages with dangerous attachments. In addition, web-criminals use exploits to get into the computer, but well-known software companies promptly correct them. After the infection, ransomware create two files infpub.dat and cscc.dat in C:\Windows folder. If you find these files on your system, run command prompt (cmd.exe) and disable files rights. Each virus knows how to corrupt image, video, audio and text files in all most used extensions. BadRabbit encrypts all files, but it is very interested in business documents, because they are very important. All executable programs on the computer will be untouched because scammers want only information. Encryption is made with the help of world-known AES and RSA algorithms, and it is so difficult that it can't be brute forced. This is the foundation for such a stunning success of this kind of viruses in last years: PC operator, even having a high experience in suchlike things, won't ever recover the data, and will have no way out except paying to scammers. The real method to restore the data is to find the scam website and to obtain the encryption keys. Sometimes it is possible to get the keys via defects in viruses’ program code. BadRabbit asks for 0.05 BTC for encrypted files. This is equal 283 $ now.


BadRabbit вирус


The computer knowledge is quite important in our century, since it assists you to defend the system from undesired software. Unfortunately, most people realize the importance of computer literacy just when ransomware penetrates their PC. To protect your system, you should keep in mind these three simple rules:

    • Do not disregard the symptoms that your PC displays. File encrypting is a intricate process that consumes a considerable amount of hardware resources. If you observe a noticeable drop in workstation power or notice an unwanted string in the Process Manager, you can unplug the laptop, load it in safe mode, and scan for threats. Of course, the certain amount of information will be encrypted, but you will have the other part.
    • Carefully examine your emails, particularly the messages that have attached files. The #1 model of scam e-mails is the notification about prize winning or parcel obtaining. The other effective kind of scam messages is a forgery for biz correspondence. Claims, Invoices for services or products, summaries, lawsuits and suchlike important information cannot be sent accidentally, and the receiver should know the sender. Otherwise, it is a fraud.
    • Take notice to the dialog boxes. The simplest method of file restoration is the restoration through Shadow Copies, and the developers of ransomware have added the removal of SC into the basic functionality of ransomware. Anyway, deletion of copies needs admin rights and acceptance from the user. The moment of thought before accepting the checkbox can save your files and your time.

You should know that removing BadRabbit is only the first. To decrypt the data you should read the tips in the below section of this article. To get rid of BadRabbit, you have to start the PC into safe mode and check it via antivirus. We don't advise to eliminate ransomware manually, because it has many defensive mechanisms which will interfere you. Qualitative encrypting viruses are able to delete corrupted information completely, if somebody tries to uninstall the program. To neutralize this, abide to the instructions under this paragraph.


Special Offer

Download Spyhunter - Anti-malware scanner

We advise downloading SpyHunter to see, if it can detect malware for you.

Spyhunter has a biggest malware database

It protects the system against all kinds of threats: Trojans, adware and hijackers

24/7 Free Support Team

SpyHunter scanner detects threats and malware for free, but to remove infected elements you need to purchase a full version of program for 39.99$. More information about Spyhunter, EULA and Privacy policy.

Removal instruction

If you are MAC user, follow this guide: how to decrypt files on MAC.




Step 1. Boot the system into safe mode

  • Press Start
  • Type Msconfig and press Enter

Safe mode. Step 1


  • Select Boot tab

Safe mode. Step 2



  • Select Safe boot and press Ok

More information about Safe mode: What is Safe Mode and how to boot computer in Safe Mode


Step 2. Show all hidden files and folders

  • Press Start
  • Click on Control Panel

Show hidden files. Step 1


  • Select Appearance and Personalization

Show hidden files. Step 2


  • Click on Folder Options
  • Select View tab
  • Select Show hidden files, folders and drives

Show hidden files. Step 3


  • Press Ok


Step 3. Remove virus files


Check next folders to find suspicious files:

  • %TEMP%
  • %ProgramData%


Step 4. Fix hosts file

  • Go to %SystemRoot%\System32\drivers\etc\ folder



  • Open hosts file using Notepad or other text editor
  • Delete suspicious elements
  • Basic hosts file looks like this:



Step 5. Clean registry (for experienced users)

  • Click Start
  • Type Regedit.exe and press Enter
  • Clean startup registry keys
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\RunServices
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

Step 6. Scan computer with antivirus


Step 7. Disable Safe Mode and restart computer

  • Press Start
  • Type Msconfig and press Enter
  • Select Boot tab
  • Remove the check near Safe boot

How to restore encrypted files

After removing the malware from the machine, you can get back the corrupted files. Actually, this is not literally decryption, because the encryption algorithms owned by scammers are extremely complex. There are the some exceptions, but usually data restoration requires plenty of time and money. To restore encrypted files you can use special programs like Recuva and Shadow Explorer. Alternative way is to restore files from backups. We made instruction how to restore information using Windows’ tools.

  • Click Start
  • Click Control Panel

Decrypt files. Step 1


  • Click System and Security

Decrypt files. Step 2


  • Select Backup and Restore

Decrypt files. Step 3


  • Select Restore files from backup
  • Select checkpoint to restore
Share your feedback to help other people
1 1 1 1 1 1 1 1 1 1 Rating 0.00 [0 Votes]

Add comment

Security code



Acronis suggestion to CrashPlans users

Around a month ago, there was an accident with CrashPlans backup software.

What is MicTrayDebugger and is it dangerous

This is a brief entry about MicTrayDebugger: what is it, how it appeared in the system, is it dangerous and how to get rid of it.

What is HoeflerText and is it dangerous?


This article is dedicated to the fraud scheme that is called HoeflerText font wasn't found. We will explain you what is this scheme and how to avoid it.

What is Wpad.dat virus and how it is used

The topic of our today's article is a script that had been unjustly called a virus. It’s Wpad.dat, and it is not a virus. We will explain what is Wpad.dat and how to prevent fraudsters to deceive yourself with its help.


Cancer virus trollware

This is an article about crazy Cancer virus and the madness that it brings to victim's computer.

This website uses cookies to improve your experience