A new strain of ransomware has been discovered. It calls itself BadBlock (this from the message left on the red lock-screen displayed after encryption reading, “Badblock is on the block!”).
This ransomware appears to be spread so far to home users rather than targeting companies. This has been done using e-mail attachments (these are .archive, .HTML and .exe varieties). Also by URLs with malicious JavaScript, and from drive-bys using exploit kits that present fake Flash Player updates. It is also thought that infections have occurred as a result of social media and file-share pages.
When BadBlock is executed, it first makes changes to registry keys (presumably for persistence), and it creates the malicious executable in Windows files. Then it starts to encrypt, claiming to use RSA and asymmetric algorithms to generate the two keys (private & public). These are common encryption forms used for sensitive data, though without the private key the files cannot yet be cracked. The information screen even says that if you are not interested in paying for the files, then the infection is ‘not that hard’ to get rid of, and then you can reformat your machine. How helpful.
The ransom demanded is a steep 2.0 BCT (about $900 U.S). It goes on to give details of how to purchase the Bitcoin. There is also a warning that if an antivirus program is updated and automatically removes BadBlock, then the files will be unrecoverable. The malware also tries to delete Volume Shadow Copies to prevent backups being made from there. The encrypted files – unlike most ransomware do not have a changed file extension.
If you are not infected with BadBlock, the first thing to do is make a comprehensive file backup to an external device, and make a routine of doing this – it could mitigate a ransomware attack in the future.
Latest news – a researcher from the company Emsisoft, Fabian Wosar, has analyzed some samples and made this observation: “I looked into the ransomware. It is insecure and decryption should be possible” writing on a blog earlier this week. He said that he will start work on the decryptor in the next couple of days. So if you’ve been hit by BadBlock, disconnect totally and find another workstation to monitor the situation from, there should be a solution to this ransomware soon. Watch this space.
