Remove BadBlock Ransomware and Restore RSA Encrypted Files

badblock-logo-sensorstechforumA ransomware virus called BadBlock claims to use a strong RSA cipher to encode the files of infected users has been reported to terrorize unsuspecting users. BadBlock does not use any extension when it encrypts the files. Instead, BadBlock Ransomware uses a help_decrypt file in every folder of encrypted files to notify the users that they must pay the sum of 2 BitCoins(~900 USD) to get their files back. Everyone who was affected by BadLock ransomware should immediately focus on alternative methods for removal and file reverting, like the instructions posted in this article.

Update! A free decryptor for BadBlock Ransomware has been developed by AVG experts. It can be downloaded from the following Web Links:
BadBlock Decryptor for 32-bit Windows
BadBlock Decryptor for 64-bit Windows

Threat Summary

NameBadBlock
TypeRansomware
Short DescriptionThe ransomware encrypts files with the RSA appending no extension to the encrypted files and asks a ransom for decryption.
SymptomsFiles are encrypted and become inaccessible. A ransom note with instructions for paying the ransom shows as a help-decrypt.txt file.
Distribution MethodSpam Emails, Email Attachments, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by BadBlock

Download

Malware Removal Tool

User ExperienceJoin our forum to Discuss BadBlock Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

BadBlock Ransomware – How Is It Spread

To establish how BadBlock is spread, we should look where does it spread first. The ransomware has been reported to be distributed across individual home users instead of organizations, suggesting it may use massively spread methods instead of targeted attacks. Such may be:

Various spam e-mails containing malicious URLs or e-mail attachments that are malicious (archives, .HTML files, etc.)
Spam posted on websites in the form of comments, replies or other social media shares from infected accounts.

Either way, the user may have been infected by opening a malicious URL or attachments. In case a URL is opened, the user may have been a victim of a JavaScript or malicious drive-by exploit kits caused via fake Adobe Flash Player updates. Of course, there is also the scenario of directly infecting the user by making him/her execute the malicious .exe, believing it is a legitimate program.

BadBlock Ransomware – In Detail

Once executed on the infected computer, the crypt-malware, may create the following files on the infected computer:

  • Help_decrypt.jpg
  • Help_decrypt.txt
  • {malicious executable}.exe

The malicious file may be created on the following Windows folders:

  • %AppData%
  • %Temp%
  • %Roaming%
  • %User’s Profile%
  • %System%

After creating the malicious files, the ransomware may create registry entries to run on Windows boot, by modifying the following registry keys:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

After that, BadBlock ransomware may delete the volume shadow copies of the infected PC, by executing a script that types the following command prompt command:

shadow-command-sensorstechforum

Then, BadBlock may begin to encrypt the user files. This crypto-malware may look for files with the following file extensions:

→ “PNG .PSD .PSPIMAGE .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV CAD Files .DWG .DXF GIS Files .GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX ..INI .PRF Encoded Files .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML Audio Files .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA Video Files .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJ R.BMP .DDS .GIF .JPG ..CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG”Source:fileinfo.com

After the files are encoded, no extension is added to the ransomware. However, the files become unable to be opened, suggesting that a strong cipher has been used, such as AES or as the ransom message claims – RSA.

After encrypting the files, the ransomware may change the wallpaper of the user, displaying its ransom note, which is the following:

badblock-main-sensorstechforum

After doing, so the ransomware may create the help-decrypt files on every folder in which files are encrypted. Researchers believe that BadBlock ransomware may be based on other RSA using crypto-viruses that had tremendous success in infecting victims – CryptoWall. Either way, users are often advised NOT to pay the ransom money and attempt a different alternative to restore the data.

Remove BadBlock Ransomware and Restore the RSA Files

Like the ransom message of BadBlock says, the ransomware may not be so difficult to remove. Manual removal however, may be tricky because the executable may have different names and conceal its files in different places. This is why it is advisable to use a reputable anti-malware software to automatically scan for the files and the modified registries of BadLock Ransomware and remove them from your device.

Regarding the decryption of the files, at this point, there is no direct solution, because the variant is relatively new and researchers have not managed to crack it yet. However, you should not pay the ransom because this is no guarantee for getting your files back as well. Instead, the best thing to do according to experts is to wait for a solution for BadBlock. In the meantime, we advise you to try using the methods described in step “3. Restore files encrypted by BadBlock” below. They may not work with 100% success rate, but if they do, you may recover at least some of your files.

Manually delete BadBlock from your computer

Note! Substantial notification about the BadBlock threat: Manual removal of BadBlock requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove BadBlock files and objects
2.Find malicious files created by BadBlock on your PC
3.Fix registry entries created by BadBlock on your PC

Automatically remove BadBlock by downloading an advanced anti-malware program

1. Remove BadBlock with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by BadBlock in the future
3. Restore files encrypted by BadBlock
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.