BadBlock Ransomware

Detailed Analysis & Community Defense Guide

Status last reviewed: June 2024
Alias/es: BadBlock (typo used internally in ransom notes) – do not confuse with the unrelated crypto-miner of the same name.

Technical Breakdown

1. File Extension & Renaming Patterns

Confirmation of File Extension: .badblock
Renaming Convention:
Plain files: original-name.extension.badblock (example: Report_2024.xlsx → Report_2024.xlsx.badblock)
No renaming of volumes, folders, or desktop icons; only the file payload is touched.

2. Detection & Outbreak Timeline

First Public Samples: 25 January 2016 (MalwareHunterTeam via VirusTotal, #4720)
Peak Activity Period: February – June 2016
Recent Resurgence: Isolated reports Q3 2020 (pirated software drops, but still the old payload).

3. Primary Attack Vectors

Remediation & Recovery Strategies

1. Prevention (Top 5 Immediate Controls)

Patch Timeline: Scan & apply February 2016 Windows patch roll-up (includes MS16-023/039 critical IE & Flash)
Disable SMBv1 (sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi, then reboot)
Application Whitelisting: Use Microsoft Defender Application Control / AppLocker to block unsigned PEs in user profile
Email & Macro Policy: Strip .EXE/.JS attachments at gateway; require signed macros + user re-approval
Back-ups – 3-2-1 rule: offline, off-site, daily; test monthly restore.

2. Removal (Step-by-Step)

Note: Isolate the host before decryption attempts to avoid leftover re-encryption.

Kill processes & services

   Stop-Process -Name "badblock*" -Force
   Stop-Service -Name "MSFWUpdate" -Force   # masquerading service
   sc.exe delete "MSFWUpdate"

Dissect startup persistence
Registry:

   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run   →  "Updater" = %ProgramData%\Updater\badblock.exe
   HKCU\...\Run  →  "WinUpdates" = %AppData%\WindowsUpdate.exe

Remove both entries.

Delete malware binaries (overwrite with cipher /w on each infected volume once fully clean).
Reset local-password cache & rerun the Windows Malicious Software Removal Tool (MSERT April 2016+).

3. File Decryption & Recovery

Official Decryptor Available? → YES
Courtesy of ESET, 29 March 2016 release: https://decryptors.emsisoft.com/ESETBadBlockDecryptor.exe
Tool Requirements:
- Original unencrypted copy of at least one file and its encrypted twin pair (>512 B) – included in most backups
- 64-bit Windows XP SP3 → Windows 11 (run elevated)
- Offline/other partition storage to avoid wiping still-open handles
Process:

Give decryptor file pair path → auto-build keyset
Select drive or specific folder → decrypt in place (write to filename.badblock.decrypted)
Rename back and run chkdsk /f if NTFS MFT presencedamage suspected.

Feasibility Summary
100 % deterministic – BadBlock uses AES-256-ECB with a static密钥成块 and lacks key chaining. Obfuscation layer merely scrambled, decryptor brute-forces the round-key.

4. Other Critical Information & Peculiarities

Misclassification Alert: Early AV engines tagged it as “XRTN” family (GandCrab sidecar), but BadBlock is independent and far simpler.
Geographic Notable Impact: Highest infection rates in Europe (DE, IT, UK) via pirated Windows “activator” downloads.
Visual Indications:
– Desktop swapped with BMP badblock.bmp (gibberish ASCII skull)
– Ransom note dropped as HOW_DECRYPT_MY_FILES.txt (ASCII, German & English) demanding 2 BTC to hard-coded address (no longer monitored).
Zero-Day Free Zone: No novel exploit code; entirely relies on well-documented flaws already patched by April 2016 Microsoft kit. Keeping systems patched makes all samples stop cold.

Quick Reference Cheat-Sheet

Stay patched, back up daily, and ensure layered email/endpoint defenses. BadBlock is neutralized software—but its pattern of delivery reappears every few years.