When Bad Rabbit made antivirus jump the gun

The Setup – You’re running Windows 7 Professional and want to have disk encryption. The open source options don’t look super good and to get bitlocker you need Windows 7 Enterprise or upgrade to Windows 8 (or 8.1) which may not be an option due to the user base’s learning curve. Someone decides that DiskCryptor being open source and branched from legitimate software is the best choice. No issues up until one morning when machines start bricking on reboot and blue-screening with Stop 7B errors. Not sure if its an update or not you dig in.

 
 

Here is what is happening. Bad Rabbit hit a good part of Europe, so Malware Bytes was quick to jump on a way to defend against this. If you didn’t know, Bad Rabbit uses DiskCryptor drivers to encrypt your drive and hold it as ransom. Another fun thing that can happen is that since Windows 7 comes with basically Defender – and Microsoft was also doing its bit to defend against Bad Rabbit – it can also spring and attack legitimate DiskCryptor.

Of course, these days, the best approach is to move to Windows 10 Professional and enable bitlocker. Read below to get yourself out of the pickle if you haven’t gotten this far yet.

Update 2017-11-1 – Looks like both products below no longer flag this software with a false positive. I couldn’t reproduce this in my lab VM.

Windows Defender – Strips the Boot Loader that is the key to booting your machine and getting the decryption password and passing it to Windows. You’ll have to re-install the boot loader, which is easy.

Malwarebytes – This one is tougher. If the machine hasn’t rebooted, you can allow the (up to) three files it quarantines – two dcrypt drivers and a registry key. If you’re not so lucky you’ll have to follow along with the guide below to get you out of this pickle.


Fixing the Boot Loader Issue (Windows Defender)

  1. Download the recovery CD someone has made. It’s a legal grey zone – you can get all the files yourself to build the same disk, but this is premade, so it makes it easier:
    1. https://diskcryptor.net/forum/index.php?topic=5284.0
    2. Note – I used the PLUS version and burnt it to a CD. You can also successfully use RUFUS and burn it to a USB drive.
    3. You may need to change your HDD/SSD to AHCI mode from RAID if you can’t get this to boot – worked for us on systems that have M.2 PCIe SSDs
  2. Open DiskCryptor on the desktop once boot is complete
  3. Open the menu Tools > Bootloader Config
  4. Choose your primary hard drive (USB will also show up here I believe, so be careful)
  5. Click on Install Bootloader
  6. Reboot – you should be good to go

Fixing the Malwarebytes issue when the machine wont boot (Stop 7B)

  1. Download the recovery CD someone has made. It’s a legal grey zone – you can get all the files yourself to build the same disk, but this is premade, so it makes it easier:
    1. https://diskcryptor.net/forum/index.php?topic=5284.0
    2. Note – I used the PLUS version and burnt it to a CD. You can also successfully use RUFUS and burn it to a USB drive.
    3. You may need to change your HDD/SSD to AHCI mode from RAID if you cant get this to boot – worked for us on systems that have M.2 PCIe SSDs
  2. Open DiskCryptor on the desktop once boot is complete
  3. Select your C: drive and perform a mount (May not be C: on the boot disk – in my case its E:)
  4. Enter your password and Click OK
  5. You should get an option now to decrypt the drive
  6. Enter your password again
  7. Wait for the disk to finish decryption (or work on the following, but DO NOT reboot until this is complete)
  8. In the meantime, you can remove the boot loader from the disk as well (continue)
  9. Open the menu Tools > Bootloader Config
  10. Choose your primary hard drive (USB will also show up here I believe, so be careful)
  11. Click on Remove Bootloader
  12. Now the fun part – clean up all the registry entries, so Windows 7 doesn’t try loading missing filter driver files and crash on boot
  13. Open Regedit (Win+R) and type regedit <enter>
  14. Navigate to Computer > HKEY_LOCAL_MACHINE (HKLM here on out)
  15. File > Load Hive…
  16. Navigate to the (C:) \Windows\System32\config\
  17. Open the SYSTEM file (it has no extension)
  18. Enter anything for the Key Name: (Temp)
  19. Select the new key that represents the hive on the HDD
  20. Go to Edit > Find…
  21. Search for dcrypt
  22. Remove the following:
    1. In any Upper or Lower Filters, remove the line ‘dcrypt’ in the multi-line key entry – leave everything else!
    2. Remove the dcrypt.sys in DumpFilters
      1. Before
      2. After


    3. Keep F3’ing (Find Next) to make sure we get everything
    4. Delete the entire dcrypt tree
    5. If you run across a PendingRename key, you can just blow this away too
  23. Wait for the disk to fully decrypt
  24. Reboot into Windows

Ending notes

I ran across a few fun bugs with this software

  1. When you have a Windows boot CD in the machine it writes text to the console, which then gets postpended by the prompt to enter a password – the software doesn’t clear the screen first (doh!)
  2. The password status doesn’t work, and honestly is a bad feature to even consider having since it lets someone write a script to hammer at the decryption password. My password is 8 characters.

  

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.