Badday Ransomware
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
Ranking: | 14,287 |
Threat Level: | 100 % (High) |
Infected Computers: | 1,407 |
First Seen: | January 19, 2011 |
Last Seen: | July 10, 2023 |
OS(es) Affected: | Windows |
Nowadays, file-encrypting Trojans are one of the most prevalent threats online claiming new victims daily. They are often viewed as a way to make a quick buck and are not overly complicated to build, as long as the cyber crooks borrow most of the code from already existing ransomware threats.
Propagation and Encryption
One of the most recently detected data-locking Trojans is the Badday Ransomware. As its name suggests, you will likely have quite the bad day if you fall victim to this nasty Trojan. When malware researchers dissected the Badday Ransomware, they found out that it's a variant of the GlobeImposter 2.0 Ransomware. It is not disclosed what infection vectors are employed in the propagation of the Badday Ransomware. Some researchers believe that fake pirated variants of popular applications, alongside mass spam email campaigns, and bogus software updates may be some of the propagation methods used in the spreading of this file-locking Trojan. As soon as the Badday Ransomware infiltrates a host, it will run a scan to locate all the files, which it was configured to target. Ransomware threats usually go after all the popular file types to ensure maximum damage. This means that files such as images, songs, videos, films, documents, and presentations are all likely to be locked by the Badday Ransomware. When the files of interested are located, the Badday Ransomware will trigger its encryption process. This threat will apply an encryption algorithm to lock all the targeted data. When the Badday Ransomware locks a file, it appends a new extension to it – '.badday.' For example, if you had an audio file named 'aged-gold.mp3', the Badday Ransomware will change its name to 'aged-gold.mp3.badday.'
The Ransom Note
Next, the Badday Ransomware drops a ransom note on the user's desktop. The note is called 'how_to_back_files.html,' and it states:
’ YOUR PERSONAL ID
-
ENGLISH
YOUR CORPORATE NETWORK LOCKED.
ALL YOUR IMPORTANT DATA HAS BEEN ENCRYPTED.
To restore files you will need a decryptor!.
To get the decryptor you should:
Pay for decrypt your network - 12 BTC :
Buy BTC on one of these sites
hxxps://localbitcoins.com
hxxps://www.coinbase.com
hxxps://xchange.cc
BITCOIN ADRESS FOR PAY:
1HbATAUc2rrpnajiRCeyKuBKZ5onkf22Jt
Send 12 BTC for decrypt
AFTER THE PAYMENT:
Send screenshot of payment to redteamoperation@protonmail.com or redteamoperation@seznam.cz. In the letter include your personal ID (look at the beginning of this document).
AFTER YOU WILL RECEIVE A DECRYPTOR AND INSTRUCTIONS
Attention!
Only our team can decrypt your files.
No Payment = No decryption!
You really get decryptor after payment. As a guarantee you can send 1 test image or text file on our email (In letter include your personal ID)
Do not attempt to remove program or run any anti-virus tools! This doesn't help 🙂
Decoders of other users are not compatible with your data, because each infected computer have unique encryption key!!!
Attempts to self-decrypting files will result in the loss of your data.’
In the note, the attackers ask for the mind-numbing sum of 12 Bitcoin, which is $99,000 approximately. They also demand that the victim contacts them via email to receive further instructions – ‘redteamoperation@protonmail.com' and ‘redteamoperation@seznam.cz.' In the ransom message, the attackers state that 'YOUR CORPORATE NETWORK IS LOCKED' so that this combined with the sky-high ransom fee makes researchers believe that the Badday Ransomware is meant to target large companies and not regular users.
You should keep your distance when it comes to dealings with cyber crooks. They do not tend to be the most trustworthy of individuals, and even if someone pays up this insanely high ransom fee, the attackers will likely never deliver on their end of the deal. A safer approach in this situation is to use a reputable anti-virus solution to remove the Badday Ransomware safely from your computer.