When run, it masquerades as a fake Adobe Flash installer, and requires administrator privileges to be run. The virus uses AES-256-CBC and RSA-2048 ciphers to lock the files, adds .encrypted extension to their original filenames, creates a Readme.txt file which it places on the Desktop. Bad Rabbit replaces Master Boot Record (MBR) and restarts the computer.
The victim loses access to the computer as it fails to boot and displays a threatening message on a black screen. The ransomware says “Oops! Your files have been encrypted!” and explains that the only possible data restoration method is paying a ransom to virus' authors.
- Odessa airport (Ukraine)
- Kiev Metro (Ukraine)
- Interfax (Russia)