.killrabbit Ransomware Virus – How to Remove and Restore Files

.killrabbit Ransomware Virus – How to Remove and Restore Files

This article has been created in order to explain what is the .killrabbit ransomware virus and how you can remove and try to restore files, encrypted by it on your PC.

The .killrabbit files virus is the type of ransomware that encrypts the files on the computers which have become it’s victims with the goal to extort the users of those PCs to pay In order to be able to decrypt and open the encrypted files again. To reach it’s end goal, the .killrabbit ransomware may use different techniques, including the powerful AES-256 encryption algorithm that renders the files to no longer be openable. If you are one of the victims of the .killrabbit ransomware, we recommend that you read this article as it aims to help you in removing the .killrabbit ransomware virus and also aims to show you how you can restore files, encrypted by it on your PC.

Threat Summary

Name.killrabbit Files Virus
TypeRansomware, Cryptovirus
Short DescriptionAims to use AES-256 encryption mode to render the files on your computer to no longer able to be opened.
SymptomsThe files are encrypted with an added .killrabbit extension.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by .killrabbit Files Virus


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .killrabbit Files Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.killrabbit Ransomware – How Does It Infect

The primary method of infection which has been conducted by .killrabbit ransomware virus may be via malicious files that pretend to be legitimate and are manually sent to the victim via e-mail as attachment. Such files often imitate invoices, receipts and other types of important document to get users to open them. The e-mails are also very convincing, for example:

In addition to via e-mail, the .killrabbit ransomware may also be spread onto victims computers by posing as a legitimate type of setup, crack, key generator or a portable program of some sort that is uploaded on websites that offer free downloads of such programs, thus, misleading some users into falling for this trap.

.killrabbit Ransomware – More Information

The .killrabbit ransomware aims to get users to become infected with it, after which the malware encrypts their files and holds them hostage until a ransom has been paid to the ones behind the virus. This virus is likely a variant of the BadRabbit ransomware family as they share similar extension.

Once a vicrtim PC is infected with this ransomware virus, it may drop it’s payload files on the following Windows directories:

  • %Windows%
  • %AppData%
  • %Local%
  • %LocalLow%
  • %Temp%
  • %Roaming%

Furthermore, the .killrabbit ransomware may also create a task in Windows Task Sheduler that automatically runs one of it’s executable files. Shortly after this, the ransomware may modify the following Windows Registry sub-keys:

→ HKLM\SYSTEM\CurrentControlSet\services\cscc
HKLM\SYSTEM\CurrentControlSet\services\cscc\ImagePath cscc.dat
HKLM\SYSTEM\CurrentControlSet\services\cscc\DisplayName Windows Client Side Caching DDriver
HKLM\SYSTEM\CurrentControlSet\services\cscc\Group Filter
HKLM\SYSTEM\CurrentControlSet\services\cscc\DependOnService FltMgr

Shortly after that, the .killrabbit ransomware may delete the shadow copies of the infected machine, prefferably by executing the following commands as an administrator:

→ sc stop VVS
sc stop wscsvc
sc stop WinDefend
sc stop wuauserv
sc stop BITS
sc stop ERSvc
sc stop WerSvc
cmd.exe /C bcdedit /set {default} recoveryenabled No
cmd.exe /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\System32\cmd.exe” /C vssadmin.exe Delete Shadows /All /Quiet

.killrabbit Ransomware – Encryption Process

In order to encrypt the files on the computer infected by it, the .killrabbit ransomware virus may use the AES-256 encryption algorithm. The virus ifirst scans for the files it wants to encrypt, among which may be the following file types:


As soon as the ransomware detects the files which are eligible for encryption, their original may be deleted and copies of them might be created with the idea to encrypt the copies and add the .killrabbit file extension to them, making the files appear like the image below shows:

Remove .killrabbit Ransomware and Restore Files

The .killrabbit ransomware is the type of malware that cannot be removed as easily as it seems. To do the removal, it is reccomended to follow the removal instructions underneath. They are divided in manual or automatic removal methods and if you lack experience in rremoving viruses, like the .killrabbit one, security experts often advise using an advanced anti-malware program for the removal as it is equipped to help remove the .killrabbit ransomware virus automatically from your computer.

If you want to restore files, encrypted by this ransomware viurs, it is strongly reccomended to try the alternative instructions underneath this article for file recovery. They may not be 100% effective but with their aid, you may be able to restore most of your encrypted files.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share