Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Black Feather Ransomware (.blackfeather) Help & Support - BLACK_FEATHER.txt

  • Please log in to reply
1 reply to this topic

#1 Demonslay335


    Ransomware Hunter

  • Security Colleague
  • 3,561 posts
  • Gender:Male
  • Location:USA
  • Local time:08:34 PM

Posted 16 September 2016 - 02:18 PM

A new armed variant of the infamous HiddenTear ransomware has been found, calling itself Black Feather.


When Black Feather infects a victim, it will encrypt files with AES, and append the extension ".blackfeather". The following ransom note "BLACK_FEATHER.txt" is left.

This is a backup of the deposit address.
Send 0.3 BTC to decrypt your files
Validate payment in the program.

The malware appears to be spoofing an Adobe PDF document as usual, but goes an extra step and displays the following message to confuse the victim while it encrypts files.

There was an error opening this document. The file is damaged and could not be repaired.

When it has finished, the form will show with the following text.

Welcome to Black Feather.

Thank you for downloading our software.
All of your files have been encrypted with a secure 256-bit HASH.
This means you can no longer access your files without the decryption key.

You can decrypt your files by paying us 0.3 BTC, this will remove the encryption
and give you full access to your files again.


The password is not saved anywhere, and is not sent to any server, so the criminals would not be able to supply the password for decryption.


If anyone has been hit by this ransomware, we recommend you do not pay the criminals. Please post here for assistance. :)

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.

BC AdBot (Login to Remove)


#2 SamsonFromTheBible


  • Members
  • 11 posts
  • Gender:Male
  • Local time:03:34 AM

Posted 17 September 2016 - 05:13 AM

 Have they provided an email address or do they communicate strictly through BitCoin messages?

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users