Current Ransomware to watch out for

What is ransomware and what does it do?

When you become infected with ransomware it stops you from using your PC and holds you to "ransom". Normally requesting you to pay BitCoins to the cybercrooks in order for you to get a decryption key and restore your files and systems to the previous state.

There are variations of ransomware, some of them simply encrypt your files, whilst others are more sinister in execution.

There's a new ransomware threat on the block and it's called BadBlock.

How does BadBlock work

The BadBlock version of ransomware is typical in it's execution and is distributed via spam email containing infected attachments or by users visiting infected websites. (Is that link in the email legit?)

The BadBlock ransomware targets all versions of Windows including Windows XP, Windows Vista, Windows 7, Windows 8 and Windows 10 and uses an AES-265 and RSA encryption method. When the infection has finished scanning your computer or server it will also delete all of the Shadow Volume Copies. It does this so you can't use them to restore your encrypted files. You will then see the image above as your desktop wallpaper.

The difference with this version of ransomware is that not only does it encrypt your data files it will also encrypt executables including important Windows system files. Therefore, don't restart your machine after you become infected as it will cause your PC to stop working completely.

Decrypt BadBlock

Currently there is a way out for anyone that has been infected. Emsisoft have created a decrypter for BadBlock so you don't need to pay any ransom or restore from a backup. You can download it here.

Other variations of ransomware to note

There are many versions of ransomware and here are some others to watch out for:

• Jigsaw Ransomware - Named after the sinister character from the movie SAW, this ransomware encrypts your files then proceeds to delete them over time. The longer you wait to pay the ransom the more files it will delete, and any reboot of machine or termination of the process will reward you with the deletion of 1,000 files each time.
• CryptXXX - This ransomware infection will affect all versions of Windows, including Windows XP, Windows Vista, Windows 7, Windows 8, and Windows 10. When a victim is infected they will have their files encrypted and then a ransom of about 2.4 bitcoins, or approximately $1,000 USD, will be demanded in order to receive the decryption key.
• Zcrypt - When infected with Zcrypt it will encrypt your data and append the .zcrypt extension to the filenames. It will then ransom the decryption key for 1.2 bitcoins.
• ODCODC - When infecting a computer it will encrypt its data and change the filename to something like [single_character]-email-abennaki@india.com-test.jpg.odcodc or in the format %emailaddress%-%originalfilename%.odcodc. The single character in the first renaming pattern may be the drive letter that file was located on.
  Further info available at www.bleepingcomputer.com

Help with removal, restores or backups

If you are having difficulty with decrypting, restoring a backup or simply have any questions on how to protect yourself or your business against viruses, malware and ransomware please get in touch today. As one of our happy customers says "Prevention is definitely better than cure".