Remove Barrax Ransomware and Restore .BarRax Files

Remove Barrax Ransomware and Restore .BarRax Files

The article will aid you to remove Barrax ransomware completely. Follow the ransomware removal instructions at the end of this article.

Barrax is the name of a ransomware cryptovirus. The virus will encrypt files with almost 100 different file extensions. The extension .BarRax will be appended to each encrypted file. The encryption algorithm that is used is most probably AES, as the ransomware is a variant of the HiddenTear/EDA2 project. The Barrax cryptovirus will create a ransom note in a text file. Keep on reading and see how you could try to potentially recover some of your files.

Threat Summary

Short DescriptionThe ransomware encrypts files on your computer and leaves a ransom note after that.
SymptomsThe ransomware will encrypt your files and put the extension .BarRax on your files after it finishes its encryption process.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by Barrax


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Barrax.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Barrax Ransomware – Infection Spread

Barrax ransomware could spread its infection in multiple ways. A payload file which initiates the malicious script for the ransomware in question is seen before on the Internet. Your computer machine will get encrypted by the cryptovirus if its malicious script gets executed. You can preview such a payload dropper, uploaded to the VirusTotal service by malware researchers, from below here:

Barrax ransomware might also be spreading its payload file on social media sites and file-sharing networks. Freeware that is spread on the Internet can be presented as helpful but could also hide the malicious script for this cryptovirus. Refrain from opening files after you have downloaded them, especially if they are coming from suspicious places like emails or links of unknown origin. Instead, you should scan the files with a security tool and check their size and signatures for anything that seems out of place. You should check out the ransomware prevention tips given in the forum.

Barrax Ransomware – In-depth Analysis

Barrax ransomware is also a cryptovirus. The extension .BarRax will get appended to all files that become locked after the encryption process completes. Reported to be a variant of HiddenTear, the encryption algorithm is highly likely to be AES. The ransomware connects to the following C2 (Command&Control) server:


Barrax ransomware could make entries in the Windows Registry to achieve some form of persistence, and even launch and repress processes inside the Windows Operating System. Some of these entries are designed in a way that will start the virus automatically with every launch of Windows.

The ransom note will appear after the encryption process is complete. The file with the ransom note is a .txt file. To add to that, there is a support forum for the ransomware that is located on the address.

The support forum looks like this:

The ransomware is reported to be a HiddenTear/EDA2 variant by the malware researcher Michael Gillespie. You can read more about the HiddenTear/EDA2 open-source project from the corresponding article in the blog.

You should NOT under any circumstances consider paying the criminals spreading the Barrax ransomware, neither should you contact them. Your files may not get restored, and nobody could guarantee it. Furthermore, giving money to these criminals will likely motivate them to make more ransomware viruses or do other criminal acts.

The following list contains nearly 100 different file extensions that the Barrax ransomware searches to encrypt:

→.3gp, .7z, .apk, .avi, .bmp, .cdr, .cer, .chm, .conf, .css, .csv, .dat, .db, .dbf, .djvu, .dbx, .docm, ,doc, .epub, .docx .fb2, .flv, .gif, .gz, .iso .ibooks,.jpeg, .jpg, .key, .mdb .md2, .mdf, .mht, .mobi .mhtm, .mkv, .mov, .mp3, .mp4, .mpg .mpeg, .pict, .pdf, .pps, .pkg, .png, .ppt .pptx, .ppsx, .psd, .rar, .rtf, .scr, .swf, .sav, .tiff, .tif, .tbl, .torrent, .txt, .vsd,.wmv, .xls, .xlsx, .xps, .xml, .ckp, .zip, .java, .py, .asm, .c, .cpp, .cs, .js, .php, .dacpac, .rbw, .rb, .mrg, .dcx, .db3, .sql, .sqlite3, .sqlite, .sqlitedb, .psd, .psp, .pdb, .dxf, .dwg, .drw, .casb, .ccp, .cal, .cmx, .cr2

Every file that gets encrypted will receive the same extension appended to the end of their names, and that is the .BarRax extension. The encryption which is utilized by the ransomware is believed to be AES as that is the encryption algorithm used by the variants of HiddenTear.

The Barrax cryptovirus might delete the Shadow Volume Copies from the Windows operating system by utilizing the command given right here:

→vssadmin.exe delete shadows /all /Quiet

Continue to read and see what kind of ways you can try out to potentially restore some of your files.

Remove Barrax Ransomware and Restore .BarRax Files

If your computer got infected with the Barrax ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.


Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share