A false positive found by both Windows Defender and Microsoft Security Essentials, has caused that some Windows computers failed boot. The applications falsely marked the bootloader of the open-source encryption software DiskCryptor as malware.
Both applications falsely detected DiskCryptor as the BadRabbit ransomware. BadRabbit currently makes the rounds, mainly in Russia, Ukraine but it has also been detected in Turkey and Germany. To encrypt data, BadRabbit uses DiskCryptor, which is likely why Microsoft’s security applications mistakenly deleted legitimate installations of DiskCryptor.
Even worse, both applications deleted the legitimate DiskCryptor bootloader making it impossible to boot to Windows.
“I had this issue at work today. Total nightmare. Had to use a WINPE boot flash drive to reload the Diskcryptor bootloader on users who rebooted already. Then, go in and turn off real time protection in Security Essentials, scan the computer to find the “virus”, set it to allow, then turn real time protection back on and make sure the bootloader was still loaded,” user letgomylego writes on Reddit.
Despite the fact that the ransomware calls itself BadRabbit, Microsoft has named it Win32/Tibbar.A. The company provides additional information about the malware on its website but hasn’t confirmed the issues with DiskCryptor yet.