Black Feather Virus – Remove and Restore .blackfeather Files - How to, Technology and PC Security Forum |

Black Feather Virus – Remove and Restore .blackfeather Files


A ransomware crypto-virus that calls itself Black Feather was recently found by the malware researcher Michael Gillespie. The virus is based on the popular HiddenTear open-source project and uses the AES encryption algorithm to lock files on a compromised computer. Files get locked with a new extension, namely .blackfeather. To see how to remove this ransomware and a possible solution to decrypt your files, carefully read this article.

Threat Summary

NameBlack Feather
TypeRansomware, Crypto-Virus
Short DescriptionThe ransomware will encrypt your files and demand payment of 0.3 Bitcoins, which is nearly 200 US dollars.
SymptomsThe ransomware will encrypt files with different extensions while appending the .blackfeather extension to them. A ransom note with instructions will be shown adterward.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by Black Feather


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Black Feather.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Black Feather Virus – Infection Tactics

The new variant of the Black Feather ransomware is probably spread in more than one way. Spam emails are the most common way to be used in the delivery of this virus. The spam email has a very brief description that tries to sound urgent. At the end of the message, it prompts people to read the full message from an attached file or open that attachment for whatever reason. For this ransomware, its malicious payload is inside an Adobe PDF file that is attached to the e-mail. Opening it infects your computer system and later encrypts your data.

That file is coded in a clever way to hide its true file type, by displaying and error message:

→There was an error opening this document. The file is damaged and could not be repaired.

Social media sites or file-sharing networks could be used to spread Black Feather, as well. A good tip to avoid infection is to avoid suspicious e-mails, files or links. Always check a file you have downloaded for its signatures and size, plus perform a scan of it with security software. You should read other ransomware prevention tips from our forum.

Black Feather Virus – Closer Inspection

The Black Feather crypto-virus is based on the open-source, HiddenTear project. This ransomware was first discovered by the malware researcher Michael Gillespie.

After the Black Feather ransomware has released its payload file, it possibly creates entries in the Windows Registry, for persistence. Such entries provide an automatic start of the ransomware files with every launch of the Windows operating system. Then it goes to encrypt your files. When all of your data is encrypted, the virus creates the file BLACK_FEATHER.txt. That is the ransom note containing the payment instructions.

The BLACK_FEATHER.txt ransom note file reads the following:

This is a backup of the deposit address.
Send 0.3 BTC to decrypt your files
Validate payment in the program.

Those instructions are left in a file as a backup, but the true instructions show up as a text after the encryption ends. That text is the following:

Welcome to Black Feather.

Thank you for downloading our software.
All of your files have been encrypted with a secure 256-bit HASH.
This means you can no longer access your files without the decryption key.

You can decrypt your files by paying us 0.3 BTC, this will remove the encryption
and give you full access to your files again.

The price that Black Feather ransomware sets is 0,3 Bitcoins which equals to around 185 US dollars from the point of writing this article. You should NOT even think of paying these cybercriminals. They haven’t left any contact, but just an address to the payment system. There is no guarantee that you will receive anything by paying to decrypt your files.

Besides, Michael Gillespie has written that the private key is not sent to any Command and Control servers, so the criminals do not have a way to provide you with it. In other words – you cannot decrypt your data, even if you pay. There might be a decryption method that could work, although your chances might seem slim. Continue to read to see if you can somehow decrypt your files.

Currently, there is no information about what file extension get encrypted by this ransomware, but it is probably the most important files. Those can include pictures, documents, databases, videos, music, etc.

The encrypted files will have a new extension appended to each one of them, which is .blackfeather. The ransomware utilizes the strong AES encryption algorithm. Fear not, as there is a possible solution for decryption available below.

The Black Feather ransomware is very likely to delete the Shadow Volume Copies from the Windows operating system. Continue reading to find out how you can try to decrypt all of your files and bring them back to normal.

Remove Black Feather Virus and Restore .blackfeather Files

If your computer got infected with the Black Feather ransomware virus, you should have some experience in removing malware. You should get rid of this ransomware as fast as possible before it can have the chance of spreading further and infect more PCs. You should remove the ransomware and follow the step-by-step instructions guide given below. To see ways that you can try to recover your data, see the step titled 2. Restore files encrypted by Black Feather.

Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share