Some extremely lucky users will be able to recover files locked by the Bad Rabbit ransomware because of small operational mistakes on the part of the malware's authors.
These flaws were revealed today in an update to Kaspersky's Bad Rabbit report. Researchers from the Russian antivirus vendor say they were able to discover two mistakes in Bad Rabbit's modus operandi.
The biggest of these is that Bad Rabbit does not delete shadow volume copies, a technology included with the Windows OS that creates snapshots of files while in use.
Because ransomware works by creating a copy of a file, encrypting the copy, and deleting the original, all encrypted files are at point "in use" and a shadow volume is created on disk. These shadow (invisible) files are kept on disk for undetermined periods of time, based on the available free space.
Most ransomware families delete shadow volumes to prevent disk recovery software from finding copies of the original, unencrypted files.
According to Kaspersky, whoever created the Bad Rabbit ransomware did not create a routine to delete these files. While shadow volume copies won't guarantee victims can get back all their files, it at least allows them to recover some documents.
The second mistake Kaspersky researchers found relates to the decryption passwords.
Similar to other disk-coder-type ransomware strains, Bad Rabbit works by encrypting the victim's files, encrypting the MFT (Master File Table), and replacing the MBR (Master Boot Record) with a custom boot screen.
On this custom boot screen, Bad Rabbit shows a "personal installation key#1" value that victims must enter on a Tor site after they paid the ransom and received the decryption password.
"As part of our analysis, we extracted the password generated by the malware during a debugging session and attempted to enter this password when the system was locked after reboot," Kaspersky researchers said. "The password indeed worked and the boot-up process continued."
Unfortunately, this method only bypasses the custom bootloader, and when users boot to their desktop, local files remain encrypted.
"However, we found a flaw in the code of dispci.exe: the malware doesn’t wipe the generated password from memory, which means that there is a slim chance to extract it before the dispci.exe process terminates," Kaspersky experts say.
The problem is that if the user reboots his PC, the password is wiped from memory for good, along with any chances of recovering files without paying the ransom.
Researchers found a similar flaw in the WannaCry ransomware this spring, but the flaw was rarely used in live infections. These types of ransomware encryption flaws are usually exploitable only in test environments by researchers, and rarely in the real world.
You can read more on Bleeping Computer's Bad Rabbit ransomware outbreak coverage here.
Image credits: Kaspersky Lab