Remove BadBlock Ransomware and Restore RSA Encrypted Files - How to, Technology and PC Security Forum |

Remove BadBlock Ransomware and Restore RSA Encrypted Files

badblock-logo-sensorstechforumA ransomware virus called BadBlock claims to use a strong RSA cipher to encode the files of infected users has been reported to terrorize unsuspecting users. BadBlock does not use any extension when it encrypts the files. Instead, BadBlock Ransomware uses a help_decrypt file in every folder of encrypted files to notify the users that they must pay the sum of 2 BitCoins(~900 USD) to get their files back. Everyone who was affected by BadLock ransomware should immediately focus on alternative methods for removal and file reverting, like the instructions posted in this article.

Update! A free decryptor for BadBlock Ransomware has been developed by AVG experts. It can be downloaded from the following Web Links:
BadBlock Decryptor for 32-bit Windows
BadBlock Decryptor for 64-bit Windows

Threat Summary

Short DescriptionThe ransomware encrypts files with the RSA appending no extension to the encrypted files and asks a ransom for decryption.
SymptomsFiles are encrypted and become inaccessible. A ransom note with instructions for paying the ransom shows as a help-decrypt.txt file.
Distribution MethodSpam Emails, Email Attachments, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by BadBlock


Malware Removal Tool

User ExperienceJoin our forum to Discuss BadBlock Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

BadBlock Ransomware – How Is It Spread

To establish how BadBlock is spread, we should look where does it spread first. The ransomware has been reported to be distributed across individual home users instead of organizations, suggesting it may use massively spread methods instead of targeted attacks. Such may be:

Various spam e-mails containing malicious URLs or e-mail attachments that are malicious (archives, .HTML files, etc.)
Spam posted on websites in the form of comments, replies or other social media shares from infected accounts.

Either way, the user may have been infected by opening a malicious URL or attachments. In case a URL is opened, the user may have been a victim of a JavaScript or malicious drive-by exploit kits caused via fake Adobe Flash Player updates. Of course, there is also the scenario of directly infecting the user by making him/her execute the malicious .exe, believing it is a legitimate program.

BadBlock Ransomware – In Detail

Once executed on the infected computer, the crypt-malware, may create the following files on the infected computer:

  • Help_decrypt.jpg
  • Help_decrypt.txt
  • {malicious executable}.exe

The malicious file may be created on the following Windows folders:

  • %AppData%
  • %Temp%
  • %Roaming%
  • %User’s Profile%
  • %System%

After creating the malicious files, the ransomware may create registry entries to run on Windows boot, by modifying the following registry keys:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

After that, BadBlock ransomware may delete the volume shadow copies of the infected PC, by executing a script that types the following command prompt command:


Then, BadBlock may begin to encrypt the user files. This crypto-malware may look for files with the following file extensions:


After the files are encoded, no extension is added to the ransomware. However, the files become unable to be opened, suggesting that a strong cipher has been used, such as AES or as the ransom message claims – RSA.

After encrypting the files, the ransomware may change the wallpaper of the user, displaying its ransom note, which is the following:


After doing, so the ransomware may create the help-decrypt files on every folder in which files are encrypted. Researchers believe that BadBlock ransomware may be based on other RSA using crypto-viruses that had tremendous success in infecting victims – CryptoWall. Either way, users are often advised NOT to pay the ransom money and attempt a different alternative to restore the data.

Remove BadBlock Ransomware and Restore the RSA Files

Like the ransom message of BadBlock says, the ransomware may not be so difficult to remove. Manual removal however, may be tricky because the executable may have different names and conceal its files in different places. This is why it is advisable to use a reputable anti-malware software to automatically scan for the files and the modified registries of BadLock Ransomware and remove them from your device.

Regarding the decryption of the files, at this point, there is no direct solution, because the variant is relatively new and researchers have not managed to crack it yet. However, you should not pay the ransom because this is no guarantee for getting your files back as well. Instead, the best thing to do according to experts is to wait for a solution for BadBlock. In the meantime, we advise you to try using the methods described in step “3. Restore files encrypted by BadBlock” below. They may not work with 100% success rate, but if they do, you may recover at least some of your files.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share