BadEncript Ransomware

Posted: December 27, 2016

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Threat Level:	10/10
Infected PCs:	16

First Seen:	December 27, 2016
Last Seen:	August 17, 2022
OS(es) Affected:	Windows

The BadEncript Ransomware is a Trojan that replaces the extensions on your files while also using encryption to stop you from being able to open them. Most of the BadEncript Ransomware infections also launch a corresponding pop-up message asking you to make a Bitcoin payment to get the key for decrypting your data. If possible, you should use free recovery solutions that don't support con artists financially and block or remove the BadEncript Ransomware with standard anti-malware strategies.

A Ransomware with More Greed than Grammar

Even small details about the attacks of a file-encrypting Trojan without any known relatives can give useful background information about its campaign or creator. The BadEncript Ransomware is one Trojan malware experts are picking up in the last few days of 2016 and embodies one of the most common elements in less professional threats: grammatical mistakes and spelling issues endemic to threat actors without a strong grasp of the English language.

However, this evidence becomes visible after the BadEncript Ransomware inflicts the rest of its payload on your PC's saved data. The Trojan hijacks the MBR (in a fashion similar to the GoldenEye Ransomware) to let itself launch automatically when the system restarts.The BadEncript Ransomware also includes an encryption function using a cipher malware experts still are identifying, although a variant of AES is the most likely algorithm. The attack blocks all files of the data formats the BadEncript Ransomware specifies, while the Trojan also adds its '.bript' extension to them so that the user can see the extent of the damages.

The BadEncript Ransomware also creates an HTML file carrying its Bitcoin ransom demands to the victims. While the note is in English, grammar and spelling issues make it likely that the text is a copy from an imperfect source, has been put through an auto-translator tool, or, otherwise, is the work of a foreign speaker of the language. Since English is a widely-used language throughout the world, the BadEncript Ransomware's threat actor may use it to purely guarantee as much compatibility with different regions with as little work as possible.

Saving Your Information from Trojans that Don't Bother Saving Themselves

In the past, malware analysts find most, but not all file-encoding Trojans using network communications for preserving the decryption codes of any 'locked' files. A minority of others store the code locally, whether it's generated on a per-attack basis or is always the same on different PCs. The BadEncript Ransomware breaks from this mold in an important way: by failing to save the code at all. Victims who close the BadEncript Ransomware will, after that, be unable to use its built-in ransom and decryption method to recover any of their encrypted content.

However, decryption is always a non-ideal recovery strategy, particularly when it involves financially rewarding a crook for breaking the law. Like almost all threats of its classification, the BadEncript Ransomware is best limited in its long-term damage potential by the victim keeping non-local backups on USB drives and similar platforms. Although detection rates for this new threat are low, keeping your anti-malware products on the most up-to-date version of their databases can help them block and delete the BadEncript Ransomware before any encryption begins.

The BadEncript Ransomware is a most likely amateur effort that doesn't obfuscate much of its payload and even includes taunts to security researchers in its base code. However, even full analyses of this threat have yet to turn up simple decryption solutions, which make it all the more important that PC users take the right steps to protect the data that's already theirs.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:

dir\name.exe

File name: name.exe
Size: 592.38 KB (592384 bytes)
MD5: e7818e26919dc4f84c6ac683f78eba88
Detection count: 5
File type: Executable File
Mime Type: unknown/exe
Path: dir
Group: Malware file
Last Updated: August 17, 2022