Bad Rabbit ransomware data recovery may be possible

Security researchers found a way to recover data locked by the Bad Rabbit ransomware without paying, and others said money might not have been the driver of the attacks.

Two different security research firms uncovered important information about the Bad Rabbit ransomware attacks, including the motives and a possible way to recover data without paying.

A threat research team from FireEye found a connection between the Bad Rabbit ransomware and "Backswing," which FireEye described as a "malicious JavaScript profiling framework." According to the researchers, Backswing has been seen in use in the wild since September 2016 and recently some sites harboring the framework were redirecting to Bad Rabbit distribution URLs.

"Malicious profilers allow attackers to obtain more information about potential victims before deploying payloads (in this case, the Bad Rabbit 'flash update' dropper)," FireEye researchers wrote. "The distribution of sites compromised with Backswing suggest (sic) a motivation other than financial gain. FireEye observed this framework on compromised Turkish sites and Montenegrin sites over the past year. We observed a spike of Backswing instances on Ukrainian sites, with a significant increase in May 2017. While some sites hosting Backswing do not have a clear strategic link, the pattern of deployment raises the possibility of a strategic sponsor with specific regional interests."

Researchers added that using Backswing to gather information on targets and the growing number of malicious websites containing the framework could point to "a considerable footprint the actors could leverage in future attacks."

Bad Rabbit ransomware recovery

Meanwhile, researchers from Kaspersky Lab discovered flaws in the Bad Rabbit ransomware that could give victims a chance to recover encrypted data without paying the ransom.

The Kaspersky team wrote in a blog post that early reports saying that the Bad Rabbit ransomware leaked the encryption key were false, but the team did find a flaw in the code where the malware doesn't wipe the generated password from memory, leaving a slim chance to extract it before the process terminates.

However, the team also detailed an easier way to potentially recover files.

"We have discovered that Bad Rabbit does not delete shadow copies after encrypting the victim's files," Kaspersky researchers wrote. "It means that if the shadow copies had been enabled prior to infection and if the full disk encryption did not occur for some reason, then the victim can restore the original versions of the encrypted files by the means of the standard Windows mechanism or 3rd-party utilities."

Next Steps

Learn how backup technologies keep improving

Read a ransomware protection checklist 

Get info on troubleshooting the Windows Recovery Environment

Dig Deeper on Threats and vulnerabilities