.block Files Ransomware – How to Remove + Restore Files

.block Files Ransomware – How to Remove + Restore Files

This article has been created to explain what is the purpose of the .block files virus and how to remove this infection from your PC plus how to try and restore files that have been encrypted by it on your computer.

The .block files ransomware is the newest strain associated with the Dharma ransomware family. It is a modular framework that can be customized further by the criminals as the attack is unfolded. As a consequence sensitive user files are impacted and are renamed with the .block extension. Read our in-depth guide in order to restore your computers from the infection.

Threat Summary

TypeRansomware, Cryptovirus
Short DescriptionAn advanced ransomware strain that aims to cause dangerous system changes and encrypt target user files.
SymptomsOne of the main symptoms is the renaming of data with the .block file extension.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by .block


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .block.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.block Files Virus – How Did I Get Infected

We have received information about a dangerous new strain of the Dharma ransomware family known as the .block ransomware. Like many of the similar strains that originate from this malware family it uses multiple distribution channels.

Depending on the target users the hackers can send out email messages that can link to the malware samples. In other cases the .block files virus can be attached to them as executable or archive files. In recent years there have also been many infections using malware software installers. They are usually setup packages taken from their official sources and then modified to include the virus code. In certain cases the victims may be able to disallow installation by unchecking certain options during the setup process.

The creation and distribution of infected documents is another trend that is used more and more among computer hackers, especially those behind advanced strains such as this one. The criminals create documents of various types that may be of any kind: rich text documents, spreadsheets and presentations that use social engineering techniques to make the users run them. Once the files are opened a notification prompt asks them to execute the built-in scripts (macros). If this is done then the .block file virus is automatically retrieved from the Internet and executed on the host.

Other popular infections methods also include software exploits, they usually occur automatically and are managed through hacker frameworks. The penetrations usually occur immediately after a vulnerability has been exposed. All kinds of malware payload delivery mechanisms can also be distributed via hacker-operated sites, ads, redirects and pop-ups.

Browser hijackers are also used as delivery mechanisms. During their infection phase the malware code can be used to institute the .block file virus into the target hosts.

.block Ransomware – More Information and Activity

Once the infections have started the .block file virus starts to execute it’s built-in behavior pattern. Depending on the exact configuration different components can be bundled either before the infection or interactively as the malware engine performs various checks.

At the onset of infection advanced threats usually perform a thorough system scan. Its aim is to create a profile of the compromised machine which includes the hardware components, installed software and user configuration. This data is used to execute the stealth protection mechanism which attempts to bypass or delete any discovered security software. This includes anti-virus programs, firewalls, sandboxes, debugging environments and virtual machines. In some cases if the threat is not able to doso then it will delete itself to avoid detection.

In order to facilitate a deeper infection the malware engine can connect to a hacker-controlled server which is used to send and receive commands from the criminal operators. The list of possible computer abuse includes the following:

  • File Stealing — Prior to the ransomware process the hackers can use the virus to retrieve sensitive files from the compromised computers.
  • Additional Malware Delivery — The criminals can use the C&C (command and control) servers in order to deploy additional threats.
  • Trojan Component — Remote control of the victim hosts can be achieved using a Trojan component. It can be deployed by the hackers either automatically or manually. It would allow them to view the victims desktop in real time. The hackers can also overtake control of the computers at any given time.

As the hackers have the ability to access other applications as well which includes web browsers as they are among the most widely software. The criminals can gain access to data such as: cookies, bookmarks, history, passwords, form data and account credentials.

The .block file virus can also be programmed to achieve a persistent state of execution. It would allow the malware to prevent manual user removal attempts by actively monitoring the victim’s actions. Such actions are usually followed by system changes that can impact both the Windows registry and the operating system configuration files themselves. As a result the users can experience performance issues, applications failure or find that certain Windows services will stop working.

As it the .block file virus uses a modular framework its behavior patterns can shift thus creating an entirely new signature. In certain situations the hackers may opt to delete the available Shadow volume copies. This makes file recovery difficult without the use of a professional-grade data recovery solution. Refer to our in-depth instructions below.

.block Ransomware – Encryption

The ransomware process is executed as soon as all other components are complete. The relevant engine starts to encrypt target user data based on a built-in list of target file type extensions.

During the initial configuration the virus may also access the Windows mount manager thus gaining access to removable storage devices and network shares. The malware will begin to scan the most frequently used files:

  • Microsoft Office documents.
  • Adobe .PDF documents.
  • Virtual drive images.
  • Photos and other image files.
  • Music and other audio data.
  • Videos.
  • System image files.
  • Files related to often used software.

A strong cipher is used to process the victim files. As a result a pattern is used consisting of the hacker’s email address followed by a dot and then the block extension. The ransomware note itself is crafted in a file called FILES ENCRYPTED: Bloc de notas.txt which reads the following:

all your data has been locked us
You want to return?
write email decrypt.guarantee@aol.com

.block file virus image

How to Remove .block Ransomware and Restore Your Files

In order to remove ransowmare viruses like .block, it is important to isolate them from being operational. To do this, we recommend to follow the removal instructions down below. They are separated in automatic and manual removal instructions. If you lack the experience in malware removal, reccomendations are to remove .block ransowmare automatically preferrably by downloading an advanced anti-malware software. Such will ensure that your computer is free from all malware without you having to reinstall your Windows and will protect your computer against infections like .block in the future too.

If you want to restore files that have been encrypted by the .block ransomware infections, we strongly advise that you focus on trying out our alternative ransomware recovery methods in step “2.Restore files encrypted by .block Virus” below. These methods are not 100% guarantee that you will be able to restore all files encrypted by this virus, but they may help you recover at least some of the encoded data.


Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

More Posts - Website

Follow Me:
TwitterGoogle Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share