What BadBlock is, and how it operates
BadBlock is trojan-ransomware – this malware enters a system, encrypts files then demands a ransom payment for their decryption. This ransomware appeared in mid-May, and analysts immediately detected flaws that they thought may lead to a decryption key. There is now a decryptor available designed by Fabian Wosar. A problem with this ransomware is it’s badly written and causes operating system damage, so it’s important to avoid it, or to delete BadBlock quickly if infected.
NOTE: if you have been infected and the ransom wallpaper is displayed – DO NOT reboot your computer before you terminate BadBlock.
How BadBlock is traveling
This is a ransomware variant that appears to target home-users rather than business. This is done using attachments in spam/phishing e-mails (.archive, .HTML, .exe). It was also reported to be dropped by exploit kits (that detect system/browser vulnerabilities) presenting the victim with old fake Flash Player update trick. It’s suspected that it has also been spread through social media/P2P file-sharing pages.
Execution, encryption and payment
When the ransomware executes it first makes changes to the registry keys, to attain Start-Up persistence. It then creates its executable file in Windows files. After contacting the hacker’s command server to report its installation, it also tries to delete Shadow Volume Copies to prevent the user from accessing them for earlier versions of files. Unlike most self-respecting ransomware, BadBlock does not give encrypted files an extension. Also unlike most other makes, it actually announces what it is doing before it starts, rather than staying quiet in the background until the job is finished; this malware has the ransom screen displayed from the outset. It goes on to demand a larger-than-average 2.0 BTC (around $900 U.S), with instructions to pay via a TOR link. There is a warning that if an AV program updates and tries to automatically remove BadBlock, the files will become irretrievable.
Why BadBlock is dangerous
The ransomware not only encrypts user files, as is the norm with this type of malware, it also encrypts executable (System) files. This means that if the user tries to reboot after being infected, the computer won’t start. This ransomware is obviously the work of an amateur – if the user’s computer system is disabled, then how can the hackers expect a ransom to be paid?
The good news about BadBlock is it’s stupid, premature advertising – users will know the malware is about to wreck their system, so its possible to calmly go to Task Manager and terminate the process badransom.exe which will stop encryption.
How to decrypt BadBlock and get your files back?
To get rid of BadBlock ransomware, see instructions below. To reclaim encrypted files, download the decryptor from this link and follow the instructions.
Step 1: Execute decrypt_badblock.exe.
Step 2: If the key for your system is not automatically found, drag and drop one original and same encoded files to the decrypt_badblock.exe icon.
It is important for the user to maintain a system to current specs – patches and updates. Any applications that aren’t used regularly should be deleted. Any freeware that is needed should be downloaded directly from the developer’s ‘site – and still scrutinized before installation using the Advanced option. Care should be taken with unsolicited e-mails – increasingly, ransomware is traveling by spam/phishing ‘mail (a recent survey by PhishMe revealed that 93% of phish-mail now contains the malware).
BadBlock is an inept and clumsy ransomware specimen, and more of a pain in the processor than a serious cyber-threat. Though if infected, the user should identify just how BadBlock entered their system – if this can get in, there is a door open for professional ransomware to enter…