Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

BadBlock Ransomware Support and Help Topic - Help Decrypt.html


  • Please log in to reply
26 replies to this topic

#1 armin961

armin961

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:37 AM

Posted 22 May 2016 - 07:01 AM

Hi
 
I searched for this ransomware through the net and also the bleeping's site, but couldn't find any topic or subject relevant to this malware. today a friend of mine told me that she was infected with a ransom and provided me with a picture of the infected machine.  there is also a help-decrypt file in every place which has been encrypted with that malware.
 
I would really appreciate that if someone provided me with a link so i can understand the type of ransomware and know whether it is possible to decrypt the files or not.
 
The forum laws prohibits me from sending the image. but it has a red background and the first sentence in the first line is as follows :
 
This machine was infected with ransomware badblock. many of your files are encrypted using RSA algorithm, and the key to decrypt this files is with us on our server.
 
It asks for 2 bitcoins(900 USD)
 
Thanks in advance

BC AdBot (Login to Remove)

 


m

#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,940 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:07 PM

Posted 22 May 2016 - 07:18 AM

Is badblock the extension appended to your files or the name of the ransomware mentioned in the ransom note?

Samas Ransomware leaves files (ransom notes) named HELP_DECRYPT_YOUR_FILES.TXT, HELP_DECRYPT_YOUR_FILES.HTML. Is that what you have or is your note just help-decrypt.txt?

You can submit samples of encrypted files and ransom notes to ID Ransomware for assistance with identification.

Samples of any encrypted files, ransom notes or suspicious executables (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted here (http://www.bleepingcomputer.com/submit-malware.php?channel=168) with a link to this topic.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 armin961

armin961
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:37 AM

Posted 22 May 2016 - 07:48 AM

Thanks for the reply. I submitted the files to the bleeping link.



#4 armin961

armin961
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:37 AM

Posted 22 May 2016 - 07:54 AM

Hi I also submitted the samples on ID Ransomeware.

 

they said they are unable to determine the ransomware and told me to refer to this code :

 

5ca93cbb535f12607ecf5032d23e3873e7aa8362



#5 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,247 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:07 PM

Posted 22 May 2016 - 09:03 AM

Looks new. I'll post the ransom note and set out a hunt later when I'm not on mobile.

Looks like no extension added according to the sample uploaded.

We will need a sample of the malware itself for analysis if you can start looking for that. It could be a download, email attachment, or even a bad website they received it from. You can run scans with HitmanPro and MalwareBytes to look for malicious files.

Edited by Demonslay335, 22 May 2016 - 09:04 AM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#6 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,247 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:07 PM

Posted 22 May 2016 - 10:06 AM

I'm not seeing any patterns in the encrypted file, may be legit RSA or AES. Won't be able to tell more without having a sample of the malware.

 

Here's the ransom note: http://pastebin.com/vH8q51ed

 

ElJmkGi.png

 

 

I just noticed the ransom note says it is still running and waiting for the BitCoin payment. Can you open Task Manger and look for any suspicious processes? Don't terminate them yet if you do, we need a sample.


Edited by Demonslay335, 22 May 2016 - 10:08 AM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#7 armin961

armin961
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:37 AM

Posted 22 May 2016 - 10:20 AM

Thanks for your prompt answer.

 

how can i export the sample file? and the ransom threatens that if we remove the threat, we will no longer be able to access the file. how can i provide a sample and make sure that nothing will happen to the files.

 

my friend says that she is not sure how the ransom entered the system. somebody makes a remote connection to that system. that can be the possible reason. It happened possibly two days ago.she says there is a process with the name badransome is running.



#8 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,247 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:07 PM

Posted 22 May 2016 - 11:35 AM

In Task Manager, go the to Processes tab, and right-click the process, click "Open File Location". Upload the executable here: http://www.bleepingcomputer.com/submit-malware.php?channel=168

 

Once we have secured the sample, I would suggest hibernating the system and not using it until we can get this analysed. Create an image of the system if you can, since we don't know what we are dealing with yet.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#9 armin961

armin961
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:37 AM

Posted 22 May 2016 - 11:36 PM

We just submitted the files.

 

thanks for your help.



#10 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,247 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:07 PM

Posted 22 May 2016 - 11:57 PM

Thanks. I will try to take a look at it tomorrow, submitting it to other channels for analysis in the meantime.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#11 Fabian Wosar

Fabian Wosar

    Authorized Emsisoft Representative


  • Security Developer
  • 743 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:11:07 PM

Posted 23 May 2016 - 08:29 AM

I looked into the ransomware. It is insecure and decryption should be possible. Unfortunately I have a back injury right now and sitting for more than 5 or 10 minutes is more or less impossible. So please give me some time to heal first and I will write the decrypter. I hope I will get to it by Wednesday.
Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com

#12 armin961

armin961
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:37 AM

Posted 23 May 2016 - 11:40 AM

Many thanks for your efforts. I would really appreciate that. The data is very important to us.



#13 noobi97

noobi97

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 25 May 2016 - 09:48 AM

I looked into the ransomware. It is insecure and decryption should be possible. Unfortunately I have a back injury right now and sitting for more than 5 or 10 minutes is more or less impossible. So please give me some time to heal first and I will write the decrypter. I hope I will get to it by Wednesday.

 

Hello

 

Unfortunatly we infected by badblock too. What do you think when you can release the derypter?

 

Thank a lot!



#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,940 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:07 PM

Posted 25 May 2016 - 06:14 PM

When or if a solution is found by Fabian, that information will be provided in this support topic and you will receive notification if subscribed to it. In addition, a news article most likely will be posted on the BleepingComputer front page.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 Fabian Wosar

Fabian Wosar

    Authorized Emsisoft Representative


  • Security Developer
  • 743 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:11:07 PM

Posted 28 May 2016 - 03:50 PM

There you go:
 
https://decrypter.emsisoft.com/badblock
 
You will need an encrypted file as well as its unencrypted version. Just select both the encrypted and original version and drag and drop it onto the decrypter executable. The key finding process may take a while, so please be patient. If you run into any issues, please feel free to post.
 
As a general rule I don't accept any donations for my work. If you feel thankful and want to throw some money at something, I suggest investing into a proper backup solution. Personally I am using CrashPlan. However, there are a lot of different solutions out there. Pick one that you feel comfortable with. If you are unsure, I am sure the helpful users in this amazing community will love to help you out picking one that fits your needs and requirements. If you want to spend even more money, I am sure the polar bears would appreciate your help. I know one polar bear in particular that would be very thankful.   :wink:


Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users