BadBlock Ransomware Encrypts Windows System Files

Monday, June 06, 2016

Ionut Arghire


A new ransomware threat goes beyond encrypting users’ personal files and holding them for ransom. 

Dubbed BadBlock, the new ransomware doesn’t stop at encrypting the user’s photos, videos, and images, but does the same for Windows system files as well, which ultimately results in the computer being no longer usable. Executables that are required for the Windows operating system to start are also targeted, meaning that a reboot after the infection could prove catastrophic.

Unlike typical ransomware families, BadBlock advertises its presence on the computer before completing the encryption process, which means that users can actually launch Task Manager and kill the badransom.exe process to stop the encryption, Bleeping Computer’s Lawrence Abrams explains.

What users would want to avoid, however, is to restart their computers, given that the operating system might have been already compromised. Luckily, a free decryption tool for this ransomware is already available, allowing victims to restore their files. Released by Fabian Wosar of Emsisoft, the utility uses brute force to determine the decryption key.

According to researchers, the BadBlock ransomware is both poorly coded and horribly designed, as it can also trash the victim’s system. What’s more, the malware authors ask for a 2 Bitcoin ransom from their victims, which is roughly twice the amount that other ransomware families typically demand.

At the opposite end of the ransom amount spectrum is a malware called Black Shades Crypter, which asks for only $30 to decrypt files. The ransomware allows users to pay either by Bitcoin or PayPal, appends the .silent extension to encrypted files, and targets both English and Russian speaking users, researchers say.

What makes this ransomware stand out, however, is the fact that its code includes strings designed as taunting messages for the researchers trying to analyze the threat. Some of these are base64 encoded, others use basic string manipulation that is easily decoded, but the general idea is the same: the malware authors claim that their malicious program cannot be cracked.

In March, the authors of a ransomware variant based on the EDA2 educational ransomware also started bragging about their ability to infect computers and suggested they would never get caught. Because EDA2 had a backdoor and because the cybercriminals bragged about their superior skills, the security community was quick to respond and neutralized the threat within a few days.

The Black Shades ransomware is supposedly distributed as fake videos, fake cracks, or fake patches and no free decryption tool is available for its victims as of now. However, the malware can be prevented from encrypting user’s files by denying its access to the website (by pointing it to instead). The malware also needs Internet access to send computer name, user name, key, execution time, and other information to the command and control (C&C) server.

Using AES-256 encryption, Black Shades encrypts files in all folders on hard disk, but targets only specific directories on the C: drive, thus ensuring that the infected system and the applications installed on it remain functional. After completing the encryption process, the malware points users to the payment website and attempts to delete itself from the infected machine.

Over the past several months, ransomware has become one of the largest cyber threats out there, and the proliferation of the ransomware-as-a-service (RaaS) business model helped in this regard. RaaS lets virtually anyone be a cybercriminal, and individuals interested in engaging into ransomware distribution need little more than script kiddie abilities.

Related: Cerber Ransomware Morphing Every 15 Seconds

Possibly Related Articles:
Ransomware BadBlock
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.