Some extremely lucky users will be able to recover files locked by the Bad Rabbit ransomware because of small operational mistakes on the part of the malware's authors.
These flaws were revealed today in an update to
Kaspersky's Bad Rabbit report. Researchers from the Russian antivirus vendor say they were able to discover two mistakes in Bad Rabbit's modus operandi.
Bad Rabbit does not delete shadow volume copies
The biggest of these is that Bad Rabbit does not delete
shadow volume copies, a technology included with the Windows OS that creates snapshots of files while in use.
Because ransomware works by creating a copy of a file, encrypting the copy, and deleting the original, all encrypted files are at point "in use" and a shadow volume is created on disk. These shadow (invisible) files are kept on disk for undetermined periods of time, based on the available free space.
Most ransomware families delete shadow volumes to prevent disk recovery software from finding copies of the original, unencrypted files.
According to Kaspersky, whoever created the Bad Rabbit ransomware did not create a routine to delete these files. While shadow volume copies won't guarantee victims can get back all their files, it at least allows them to recover some documents.
![[correlate]](/data/avatars/s/79/79653.jpg?1556985072){kind=avatar}
