Threat Database Ransomware Balaclava Ransomware

Balaclava Ransomware

By GoldSparrow in Ransomware

Malware researchers have uncovered a new file-locking Trojan that is circulating the Web. Interestingly enough, there have been two variants of the Balaclava Ransomware revealed so far.

Propagation and Encryption

The Balaclava Ransomware is likely to be propagated via different distribution methods. Some cyber crooks prefer to use various infection vectors ito expand their reach. Some of the most popular propagation methods include:

  • Mass spam email campaigns – Emails containing a fraudulent message and a corrupted attachment or a link to a harmful file.
  • Malvertising campaigns – Misleading advertisements whose goal is to trick users into downloading a corrupted file.
  • Fake application downloads/updates – Fraudulent downloads/update prompts that urge the users to download threatening software on their systems.

Regardless of how the Balaclava Ransomware has ended up on your computer, it has one goal – to encrypt all your files. Most ransomware threats are programmed to target various filetypes to ensure maximum damage. The Balaclava Ransomware will make sure to use an encryption algorithm to lock all your documents, images, videos, audio files, presentations, spreadsheets, databases, archives, etc. As we mentioned, the Balaclava Ransomware has two variants – each one applies a different extension to the names of the files locked recently. One of the Balaclava Ransomware versions appends a ‘’ as an additional extension, while the other variant adds a ‘.michael’ extension to the names of the affected files. For example, a file called ‘crystal-cross.mp4’ will either be renamed to ‘’ or ‘crystal-cross.mp4.michael.’

The Ransom Note

The Balaclava Ransomware would drop a ransom note on the infected system. The message of the Balaclava Ransomware’s authors is contained in a file called ‘HOW_TO_RECOVERY_FILES.txt.’ The attackers offer to unlock 1-2 files free of charge as proof that they are capable of reversing the damage. Users are told that once they receive the 1-2 decrypted files, they also will be provided with the ransom fee that the attackers demand. The two variants of the Balaclava Ransomware provide users with two distinct email addresses as a means of communication – ‘’ and ‘’

The content of HOW_TO_RECOVERY_FILES.txt ransom note:
If you see this message – this means your files are now encrypted and are in a non-working state! Now only we can help you recover.
If you are ready to restore the work – send us an email to the address In the letter, specify your personal identifier, which you will see below. In the reply letter we will inform you the cost of decrypting your files.
Before payment you can send us 1-2 files for test decryption. We will decrypt the files you requested and send you back. This ensures that we own the key to recover your data. The total file size should be no more than 2 MB, the files should not contain valuable information (databases, backups, large Excel spreadsheets …).
Email to contact us –

The encryption process means that you won’t have access to any file with the .michael file extension without first decrypting it. As you can see in the note, the attackers encourage victims to get in touch with them to learn more about how to do this. They also promise to restore a few small files for free as a sign of good faith. This is a common tactic to lure victims into a false sense of security. Even if the attacker does decrypt those few files, that’s still no guarantee that they can – and will – decrypt everything.

The final stage of the attack is that the ransomware deletes shadow volume copies of data on the computer. Computers use these shadow volumes for restoring data, meaning that you need to use an external backup to restore your lost files. Don’t forget to remove the Michael Ransomware first, however, or you run the risk of having your backup data encrypted too.

How Does Ransomware Get on Computers?

Ransomware has several potential infection vectors, just like any other kind of virus. The main techniques for spreading ransomware are spam campaigns, trojan viruses, and illegal activation tools. Other common methods are fake software updates and untrustworthy download pages and websites.

Spam campaigns involve sending thousands of scam emails to as many people as possible. The emails have an infectious file or link attached to them. Once someone interacts with the compromised attachment, their computer is infected. The malicious file could be a document, a PDF file, an archive, an executable file, or any other kind of file. The point is that they contain code that triggers an infection when the file is activated. Trojan viruses are a kind of malware used to trigger chain infections and download other malware, such as the Zorgo ransomware.

Software pirates use illegal activation tools – also known as "cracks" – to activate pirated software. These tools also download and install malicious programs and viruses. A fake software update works on a similar principle. Sometimes they exploit the flaws in an application and sometimes they just install a virus rather than the update they should.

It's possible for a person to unwittingly download malicious content through untrustworthy download resources like peer-to-peer networks, third-party websites, and unofficial free file-hosting websites.

You should ignore the demands of cyber crooks like the authors of the Balaclava Ransomware. Even if you pay up, the attackers are likely to deny you the decryption tool you need to recover your data. Instead, you should consider investing in a legitimate anti-malware solution that will help you remove the Balaclava Ransomware from your computer safely.


Most Viewed