Home Malware Programs Ransomware Balbaz Ransomware

Balbaz Ransomware

Posted: August 9, 2017

Threat Metric

Threat Level: 10/10
Infected PCs: 87
First Seen: August 9, 2017
OS(es) Affected: Windows

The Balbaz Ransomware is a new version of Hidden Tear, a project whose original development was an educational demonstration of a harmful encryption. The Balbaz Ransomware is known is known to attach the '.WAmarlocked' extensio nto filenames and its file marker may be used as a basis for its name by other cybersecurity developers. Thus, the Balbaz Ransomware may be listed on malware databases under the alias WAmarlocked Ransomware. Along with being unable to open any files that this threat encrypts, the symptoms of an infection include changes to extensions and multiple formats of messages that demand ransoms for the file-unlocking decryptor. You can defend your PC from this threat by using anti-malware protection to delete the Balbaz Ransomware and backups to keep individual copies of your media safe.

An Extortionist that Looks Like More than It Is

Thanks to how available and straightforward its code is, Hidden Tear is often considered a 'low effort' family for threat actors with interest in harmful encryption. On the other hand, not every con artist wanting to hold files hostage for pay needs to put in the bare minimum of work necessarily, and nothing more than that. The Balbaz Ransomware, a new variant of this open-source family, provides its victims with a more polished GUI experience that might make them more inclined than usual to pay the ransom.

The Balbaz Ransomware is a 250 KB executable that runs on most Windows environments. If it does run, any files appropriate encryption, such as DOCs and JPGs, and not existing in protected locations like the Windows folder, are enciphered and blocked automatically. Additionally, the Balbaz Ransomware adds a '.WAmarlocked' extension to their names, which is a standardized practice among threat actors deploying similar attacks.

The Balbaz Ransomware includes a Notepad ransom message (which asks for Bitcoins 'or food') for selling the compatible decryptor that could restore your files. However, the threat actor also is using another type of note that appears to be using misappropriated HTA components from unrelated Trojans. This other one is a relatively rare case of a Hidden Tear release with a working Graphical User Interface and includes such elements as a week-long timer, a modifiable Bitcoin wallet address, and buttons for paying the ransom and running the decryptor.

Malware experts discourage paying both due to the uncertainty of the decoding feature and the non-refundable nature of the Bitcoin crypto currency.

Keeping Hidden Tear's Offspring in Hiding

Although the pop-up could confuse a victim into using the wrong brand of freeware decryptor, the Balbaz Ransomware's Notepad text does self-identify the threat as being a new version of Hidden Tear. Always check for general decryption compatibility with extra copies of any enciphered documents or other files instead of risking potential data loss from corrupting your media with the wrong decryption process. Malware experts note that most versions of Hidden Tear are open to free decryption, along with the ever-applicable possibility of restoring any files through your remotely-stored backups.

Although the Balbaz Ransomware's ransom instructions demonstrate an imperfect grasp of the English language, no other details are yet available about its threat actor's origins, preferences for distributing his threat, or preferred targets. File-encrypting Trojans can install themselves through multiple methods, including:

  • Drive-by-download exploits on compromised websites can install the Balbaz Ransomware automatically.
  • Disguised e-mail attachments may convince victims into opening the Balbaz Ransomware without realizing it.
  • Downloads labeled incorrectly, especially for illegal content such as gaming cracks, can circulate threats like the Balbaz Ransomware to PC users.

Having active and updated anti-malware software can help users block most of these attacks, such as by identifying attempted drive-by-downloads or documents with embedded exploits. Removing the Balbaz Ransomware with anti-malware software also can help you identify any threats that could be assisting with its distribution that may be capable of reinstalling it.

The more con artists invest into their software being easy to use, the more tempting it can be to pay a ransom. However, an attractive interface doesn't wash threats like the Balbaz Ransomware clean from their real motivations, which always are greed, and not helping you decode your media.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:



file.exe File name: file.exe
Size: 271.87 KB (271872 bytes)
MD5: c9d10a6e67ac7f872591e4a6d29d5506
Detection count: 87
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: August 18, 2017
Loading...