Blocking Ransomware

The Blocking Ransomware is part of the BTCWare Ransomware, a collection of Trojans that make money by encrypting the files of their victims and selling a possible decryption solution afterward. The Trojan's symptoms include an advanced Web page-based message for the ransoming process, blocking arbitrary files (such as documents), and inserting new extensions into their filenames for promoting its threat actor's e-mail address. Use anti-malware products previously effective against this Trojan's family for stopping and deleting the Blocking Ransomware, and restore any locked content from your backups.

The BTCWare Ransomware Gets a New Player in the Game

With the profusion of 'look-alike' Trojans trying to imitate their competition, it can be easy to forget that any major Trojan families often split off into legitimate new versions of themselves naturally, as well. Variations on the common theme of the BTCWare Ransomware include July's the Aleta Ransomware, May's the Oled Ransomware, and the newest, August's the Blocking Ransomware. Since the Trojan shows relatively small changes, compared to previous releases, malware experts are presuming that this fork is due to the software being rented out to a third-party threat actor.

The Blocking Ransomware creates a simple, auto-launching function by modifying the Windows Registry and disables some security features that could interfere with it, such as the Startup Repair and Boot Failure messages. Besides the standard attack of encrypting files on the infected PC, the Blocking Ransomware also deletes default backup data that the user could revert to, and reverse its changes. As a result, the affected content, such as text documents, will refuse to open, along with using new extensions (containing the Blocking Ransomware's e-mail address and the '.blocking' tag).

Malware analysts also saw few modifications to the ransoming message the Blocking Ransomware creates for informing its victim on the recommended file-unlocking process. The threat actors specify using Bitcoins, offer a one-file 'sample' of their service, and use the same, HTA-based formatting as old examples of BTCWare Ransomware. As per usual standards with such attacks, the Blocking Ransomware links the encoding routine to a custom ID that prevents generic decryptors from restoring your files.

The Advantages of Learning How to Block a File Blocker

Besides showing that its underlying family is alive and well, the Blocking Ransomware also is a good example of Trojans being capable of causing more security issues than a user can tell by looking at the symptoms.

• The Blocking Ransomware contacts no less than ten, separate domains for purposes associated with its C&C and ransoming methods.
• The Blocking Ransomware will delete system recovery content, and override the user permission settings, if necessary, for doing so.
• The Blocking Ransomware generates easily-overlooked files with random or misleading names (such as 'java.exe').

Most of its functions are standardized within the BTCWare Ransomware's family and support the primary goal of sabotaging files for ransom.

Because the Blocking Ransomware can delete local backups, users only can protect their media by preserving backups on devices that are inaccessible to the Trojan, such as cloud storage or USB devices. Malware experts also have yet to ascertain which infection methods this latest version of the BTCWare Ransomware is using, although the possibilities range from e-mail spam to brute-force attacks. Updating your anti-malware software can lower the chance of an inaccurate detection and delete the Blocking Ransomware before it encodes any files.

As a threatening program with a comprehensive bundle of advanced, anti-security features, the Blocking Ransomware is an advertisement for the BTCWare Ransomware family. However, it also advertises the incredible value that any PC user can get out of a consistent backup schedule, no matter how simple it is.