Researchers at Kaspersky Lab has discovered that some victims may be able to recover their files without paying any ransom.


The discovery was made by that analyzed the encryption functionality implemented by the ransomware: the Bad Rabbit leverages the open source library DiskCryptor in order to encrypt the user files, but uses the same screen to allows victims who have received the decryption key to enter it and boot their system.

Kaspersky’s researchers discovered that after the ransomware create the decryption key, this isn’t wiped from memory.

The symmetric encryption keys are securely generated on the ransomware side which makes attempts to guess the keys unfeasible in practice.

However, we found a flaw in the code of dispci.exe:

the malware doesn’t wipe the generated password from the memory, which means that there is a slim chance to extract it before the dispci.exe process terminates.

Unfortunately, there is only a “slim chance” that victims will be able to extract the password.
However, Bad Rabbit does not delete shadow copies, allowing victims to restore the files through this windows backup functionality:

We have discovered that Bad Rabbit does not delete shadow copies after encrypting the victim’s files. It means that if the shadow copies had been enabled prior to infection and if the full disk encryption did not occur for some reason, then the victim can restore the original versions of the encrypted files by the means of the standard Windows mechanism or 3rd-party utilities.

More information on