Bad Rabbit is a strain of ransomware that first appeared in 2017 and is a suspected variant of Petya. Like other strains of ransomware, Bad Rabbit virus infections lock up victims’ computers, servers, or files preventing them from regaining access until a ransom—usually in Bitcoin—is paid.

Like other strains of ransomware, Bad Rabbit virus locks up victims’ computers, servers, or files prevents them from regaining access until a ransom—usually in Bitcoin—is paid. Learn more about ransomware here.


Bad Rabbit first appeared in 2017 and has similarities to ransomware strains called WannaCry and Petya.

Disguised as an Adobe Flash installer, a Bad Rabbit attack spreads through drive-by downloads on compromised websites, meaning victims could be exposed to the virus simply by visiting a malicious or compromised website. The Bad Rabbit malware is embedded into websites using JavaScript injected into the site’s HTML code.

If a person clicks on the malicious installer, BadRabbit ransomware encrypts files and presents users with an austere black-and-red message. It reads in part: “If you see this text, your files are no longer accessible. You might have been looking for a way to recover your files. Don’t waste your time.”

The text demands around $280 in Bitcoin and gives a 40-hour deadline for payments to be made.[1] Victims reported that making the payment did unlock their files, though this isn’t always the case in other ransomware attacks.


Ransomware such as Bad Rabbit attacks a network in one of two ways: as an encryptor (as is the case with Bad Rabbit malware) or as a screen locker. Encryptors lock data on a targeted system, making the content inaccessible without a decryption key. A screen locker simply blocks access to the system via a lock screen that simply claims that the system is encrypted.[2]

In either case, preventing Bad Rabbit ransomware is a far better option than remediating it.

Once you realise that you are the victim of Bad Rabbit ransomware attack, follow these steps to respond:[3]

  1. Contact law enforcement.
  2. Disconnect from any computers, servers or other equipment your network.
  3. Determine the scope of the problem based on your knowledge of threat intelligence.
  4. Orchestrate a response. Some types of ransomware, such as screen lockers, are easier to remediate. Others may require completely re-imaging (wiping) systems and recovering files from backup.
  5. Look for free ransomware decryption tools—but don’t rely on them. They don’t work for every type of ransomware and may not help you get your files back.
  6. Restore captive files from your backup systems.



[1] Lena Fuks (Security Boulevard). “10 Ransomware Attacks You Should Know About in 2019
[2] Proofpoint. “Ransomware is Big Business
[3] Proofpoint. “The Ransomware Survival Guide

Tips for Developing Your Ransomware Defence Strategy

At Proofpoint, we spend a lot of time with clients talking about incident response strategies. Explore best practices for developing a ransomware defence strategy.

What Is Ransomware?

Discover what ransomware is and how to prevent ransomware attacks. Learn the definition, history, detection, and how Proofpoint helps organisations not become victims.

Latest Cybersecurity Threats

Stay current on the latest security threats and cyber attacks with Proofpoint. Protect your employees, data, and brand from today's advanced threats.