BadBlock Ransomware
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
| Threat Level: | 100 % (High) |
| Infected Computers: | 2 |
| First Seen: | May 23, 2016 |
| Last Seen: | February 13, 2019 |
| OS(es) Affected: | Windows |
The BadBlock Ransomware is an encryption ransomware Trojan. Like similar attacks, the BadBlock Ransomware encrypts the victim's documents using the RSA-2048 and AES-CBC 256-bit encryption. Once the victim's files have been encrypted, the BadBlock Ransomware displays a ransom message demanding the payment of two BitCoins, approximately $400 at the current exchange rate. Regretfully, it is currently not possible to decrypt files encrypted with the BadBlock Ransomware without access to the decryption key, which the people responsible for the BadBlock Ransomware save on their servers. In some cases, computer users have had success with decrypting utilities released for similar ransomware attacks. If the BadBlock Ransomware is installed on your computer, the best recovery method is to restore the encrypted files from a backup and use a reliable security application to protect your machine from future attacks.
How the BadBlock Ransomware may Enter a Computer
The most common way of distributing the BadBlock Ransomware is through corrupted email messages that contain corrupted embedded links or file attachments. When computer users open the content included in the email message, the BadBlock Ransomware runs on the victim's computer, initiating its attack. The BadBlock Ransomware is capable of infecting all versions of Windows, including Windows XP, Windows Vista, Windows 7, Windows 8 and Windows 10. Once the BadBlock Ransomware has entered the victim's computer, it searches the affected computer's hard drive for files with the following formats:
.sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .odc, .odm, .odp, .ods, .odt.
After encrypting the victim's computer, the BadBlock Ransomware drops files named 'Help_Decrypt.txt,' which contain the instructions on how to pay the BadBlock Ransomware ransom. The BadBlock Ransomware changes the affected computer's Desktop image by replacing it with the image file 'Help_Decrypt.png,' which contains the same material as the text file mentioned before. These text files are dropped in all directories that contain the files that were encrypted.The BadBlock Ransomware deletes Shadow Volume Copies, system restore points, and other copies of affected files that would help computer users recover from an attack of this type normally.
The BadBlock Ransomware ransom note contains the following information:
This machine was infected with ransomware the BadBlock. Many of your files are encrypted using RSA algorithm, and the key to decrypt this files is with us on our server.
-What this means?
It means that to decrypt and recover your files, you will need to pay a ransom, in bitcoins. The actual ransom for your machine is 2 bitcoins (USD ~900.00).
If you are not interested in pay this ransom, you can easily format this machine, or even remove the BadBlock (it’s not that hard), but all your files will become unrecoverable!
-How do I pay?
You simply buy bitcoins, and transfer them to this account: –
The amount is 2 bitcoins, like we talked earlier… You can use this link or this link to help you out on how to buy the bitcoins.
-What happens after the payment?
the BadBlock still running on your computer right now, and waiting to detect one payment of 2 BTC on the address mentioned above. Once it detects, it will start to decrypt all the encrypted files. The process to detect the payment can take up to 2 hours, and only after this it will start decrypting your files. So after payment, leave this machine powered. For this reason, we strongly recommend you to not try to remove the BadBlock, and disable your anti-virus for a while, until you pay and the payment gets processed, to the BadBlock start decrypting. If your anti-virus gets updated and remove the BadBlock automatically, even if you pay the ransom, it will not be able to recover your files!
-How do I know that you will really decrypt my files after payment?
You don’t. You have only one choice to recover your files: pay the ransom. We have no interest in keeping your files locked for any reason. So right now, just rely on us and everything will be fine.
Variants of the BadBlock Ransomware have ransom notes in different languages. It is entirely possible for con artists to adapt the BadBlock Ransomware attacks to certain geographical locations. To prevent the BadBlock Ransomware attacks, malware analysts advise the use of a reliable security program and that computer users always backup their files on an external memory device or the cloud.
