Balbaz Ransomware

Posted: August 9, 2017

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Threat Level:	10/10
Infected PCs:	87

First Seen:	August 9, 2017
OS(es) Affected:	Windows

The Balbaz Ransomware is a new version of Hidden Tear, a project whose original development was an educational demonstration of a harmful encryption. The Balbaz Ransomware is known is known to attach the '.WAmarlocked' extensio nto filenames and its file marker may be used as a basis for its name by other cybersecurity developers. Thus, the Balbaz Ransomware may be listed on malware databases under the alias WAmarlocked Ransomware. Along with being unable to open any files that this threat encrypts, the symptoms of an infection include changes to extensions and multiple formats of messages that demand ransoms for the file-unlocking decryptor. You can defend your PC from this threat by using anti-malware protection to delete the Balbaz Ransomware and backups to keep individual copies of your media safe.

An Extortionist that Looks Like More than It Is

Thanks to how available and straightforward its code is, Hidden Tear is often considered a 'low effort' family for threat actors with interest in harmful encryption. On the other hand, not every con artist wanting to hold files hostage for pay needs to put in the bare minimum of work necessarily, and nothing more than that. The Balbaz Ransomware, a new variant of this open-source family, provides its victims with a more polished GUI experience that might make them more inclined than usual to pay the ransom.

The Balbaz Ransomware is a 250 KB executable that runs on most Windows environments. If it does run, any files appropriate encryption, such as DOCs and JPGs, and not existing in protected locations like the Windows folder, are enciphered and blocked automatically. Additionally, the Balbaz Ransomware adds a '.WAmarlocked' extension to their names, which is a standardized practice among threat actors deploying similar attacks.

The Balbaz Ransomware includes a Notepad ransom message (which asks for Bitcoins 'or food') for selling the compatible decryptor that could restore your files. However, the threat actor also is using another type of note that appears to be using misappropriated HTA components from unrelated Trojans. This other one is a relatively rare case of a Hidden Tear release with a working Graphical User Interface and includes such elements as a week-long timer, a modifiable Bitcoin wallet address, and buttons for paying the ransom and running the decryptor.

Malware experts discourage paying both due to the uncertainty of the decoding feature and the non-refundable nature of the Bitcoin crypto currency.

Keeping Hidden Tear's Offspring in Hiding

Although the pop-up could confuse a victim into using the wrong brand of freeware decryptor, the Balbaz Ransomware's Notepad text does self-identify the threat as being a new version of Hidden Tear. Always check for general decryption compatibility with extra copies of any enciphered documents or other files instead of risking potential data loss from corrupting your media with the wrong decryption process. Malware experts note that most versions of Hidden Tear are open to free decryption, along with the ever-applicable possibility of restoring any files through your remotely-stored backups.

Although the Balbaz Ransomware's ransom instructions demonstrate an imperfect grasp of the English language, no other details are yet available about its threat actor's origins, preferences for distributing his threat, or preferred targets. File-encrypting Trojans can install themselves through multiple methods, including:

Drive-by-download exploits on compromised websites can install the Balbaz Ransomware automatically.
Disguised e-mail attachments may convince victims into opening the Balbaz Ransomware without realizing it.
Downloads labeled incorrectly, especially for illegal content such as gaming cracks, can circulate threats like the Balbaz Ransomware to PC users.

Having active and updated anti-malware software can help users block most of these attacks, such as by identifying attempted drive-by-downloads or documents with embedded exploits. Removing the Balbaz Ransomware with anti-malware software also can help you identify any threats that could be assisting with its distribution that may be capable of reinstalling it.

The more con artists invest into their software being easy to use, the more tempting it can be to pay a ransom. However, an attractive interface doesn't wash threats like the Balbaz Ransomware clean from their real motivations, which always are greed, and not helping you decode your media.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:

file.exe

File name: file.exe
Size: 271.87 KB (271872 bytes)
MD5: c9d10a6e67ac7f872591e4a6d29d5506
Detection count: 87
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: August 18, 2017