Badblock ransomware is on the block (May 25, 2016)


The Dell Sonicwall Threat Research team has received reports of yet another ransomware. This newest one to join the increasingly lucrative business of ransomwares is called BadBlock. Over the past year, Ransomware has proven to be a success for cybercriminals and has become very widespread that more versions are being released regularly. This new strain is even using a catchy phrase “BadBlock is on the Block!” in its help file to indicate successful infection.

Infection Cycle:

Badblock uses the following icon:

Upon execution, Badblock creates the following files:

  • %SystemDrive%Network Prosoftbadransom.exe (copy of itself)
  • %SystemDrive%Network Prosoftbaman.vab
  • %SystemDrive%Network Prosoftwarn (copy of the Help Decrypt.html file)

Badransom.exe is then executed and a new window is opened showing the victim’s files being encrypted.

Badblock sends a user ID to a remote server hosted on A reponse is received containing arbitrary strings which is the appropriate bitcoin account address the victim can send the payment to. This string is also referenced in the Help_decrypt.html file which contains the payment instructions.

Upon successful infection, a copy of the help file is then displayed showing instructions on how to pay the ransom of 2 Bitcoins or roughly about $900.

A copy of this “Help Decrypt.html” file is added to all the directories where files have been encrypted.

Badblock encrypts files with the following file extensions:
.asp, .aspx, .avi, .bak, .bmp, .cab, .cer, .chk, .chm, .class, .css, .dat, .data, .db, .dmp, .doc, .dot, .edb, .Evt, .exe, .gif, .htm, .html, .jar, .jpg, .js, .json, .lnk, .log, .lst, .map, .mar, .mdb, .mpp, .pdf, .pem, .pf, .php, .png, .pot, .ppt, .sav, .sdf, .sql, .sqlite, .swf, .txt, .vab, .vbs, .ver, .wav, .wma, .wmv, .xls, .xml, .zip

Unlike most ransomwares, Badblock does not append a new extension to encrypted files.

Because Badblock also encrypts system files, it renders the box extremely slow and unstable. In the instructions, the Badblock authors suggest not to shutdown the infected machine. If the user decides to, they will not be able to log back in because during our analysis we found that the files responsible for rebooting the machine were also encrypted.

At this point, the victim is locked out of their machine and the machine is rendered useless. Users will also be unable to use system restore because the files, progman.exe and rstrui.exe, have also been encrypted.

Because of the prevalence of these types of malware attacks, we urge our users to back up their files regularly.

Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:

  • GAV: Badblock.RS (Trojan)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.