BlackWorm Ransomware

BlackWorm Ransomware is a somewhat troublesome malicious application since it encrypts user’s data and blocks various processes to make it more difficult for the victim to delete it. Also, it shows a ransom note asking to pay 200 US dollars in exchange for decryption tools. The sample we tested did not provide a Bitcoin wallet address to transfer the money, which suggests the application could still be in the development mode. Dealing with hackers could be hazardous in any way, and so we would not recommend paying the ransom even if there was a way to make the transfer. If you encounter this threat, we recommend erasing BlackWorm Ransomware with a chosen antimalware tool or the instructions available below. Afterward, the files could be restored if you have any backup copies on cloud storage or some removable media device. To learn more about the threat, we invite you to read the rest of this article.

It looks like BlackWorm Ransomware could be spread either through Spam emails or fake software installers/updates. No doubt such files could look harmless and legit, but you should never open data coming from suspicious sources even if it seems reliable. For instance, if you receive an email attachment, you should first have a look at the sender’s line to determine whether the address is not forged or somehow suspicious. Also, specialists recommend carefully reading the text it may come with the file to see if nothing raises suspicion to you. Finally, to be entirely sure, the attachment does not carry any malicious content, users should scan it with a reliable antimalware tool. This advice applies to any data downloaded from untrustworthy sources, for example, torrent or similar file-sharing websites. To put it simply if you are not one hundred percent sure the file will not infect the computer, and you do not want to risk losing data on the device, you should avoid launching it.

The reason BlackWorm Ransomware is troublesome is it has quite a few nasty qualities. To start with it might disable Windows User Account Controls by editing a particular Registry entry. Also, the malicious application might kill various processes if the name appears in its list, for example, processhacker, advancedprocesscontroler, systemexplorer, and so on. The malware can even modify shortcuts available on the user’s Desktop so they would launch the malware instead of the programs they belong to. Besides after its launch, the threat should encrypt various personal files located in the %USERPROFILE% location. The affected data can be easily separated from a particular extension that the malicious application appends to each encrypted file. For instance, a file named penguins.jpg should turn into penguins.jpg.bworm.

At last, once all targeted files are encrypted, BlackWorm Ransomware should create a text file called READ_IT.txt on the user’s Desktop. Opening it should reveal the malware’s ransom note. It says the malicious application encrypted user’s data and its creators expect victims to pay 200 US dollars. The strangest part is the space where the Bitcoin wallet address needed to transfer the money is supposed to be is blank. Consequently, it becomes impossible to pay the ransom even if the user is willing to, although we highly recommend against it. There is no way to guarantee they would deliver the needed decryption tools as the cybercriminals could change their mind or start asking for more money.

Our recommendation to those who come across BlackWorm Ransomware is to erase it from the system and then restore encrypted files from backup copies if the user has any. The threat can be deleted in a couple of different ways. The first one is to remove it manually. This process might be long and somewhat complicated, but if you are determined to go through it, we advise following the instructions available below. Another way to get rid of the malicious application is to scan the computer with a reliable antimalware tool.

Restart the computer in Safe Mode

Windows 8/Windows 10

1. Tap Win+I for Windows 8 or open Start menu for Windows 10.
2. Press the Power button.
3. Click and hold Shift then click Restart.
4. Pick Troubleshoot and choose Advanced Options.
5. Go to Startup Settings and click Restart.
6. Press F5 and restart the PC.

Windows XP/Windows Vista/Windows 7

1. Navigate to Start, select Shutdown options and pick Restart.
2. Press and hold F8 when the PC starts restarting.
3. Mark Safe Mode with Networking.
4. Select Enter and log on.

Enable Show Hidden Files and Folders

Windows 8 & 10

1. Press Win+E.
2. Select the View tab (top-left corner).
3. Click on Options (top-right corner).
4. Select change folder and search options.
5. Click on the View tab and pick Show hidden files, folders and drives.
6. Click OK.

Windows 7 & Vista

1. Go to Start and launch Control Panel.
2. Choose Appearance and Personalization.
3. Open Folder Options and pick the View tab.
4. Click Show hidden files, folders and drives.
5. Select OK.

Windows XP

1. Navigate to Start and open Control Panel.
2. Pick Appearance and Themes.
3. Select Folder options and choose the View tab.
4. Find and mark Show hidden files and folders.
5. Click OK.

Eliminate BlackWorm Ransomware

1. Click Win+E.
2. Find these paths:
   %TEMP%\microsoft
   %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
3. Locate a malicious file called svchost.exe in each directory.
4. Right-click them and press Delete.
5. Go to %TEMP%
6. Find a file named BlackData.dat.
7. Right-click it and select Delete.
8. Find a text file called READ_IT.txt on your Desktop.
9. Right-click it and select Delete.
10. Exit File Explorer.
11. Press Win+R.
12. Insert Regedit and click Enter.
13. Find the given directory: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
14. Locate a value name titled ef781910bc5e8aab3761591acadf8bb6.
15. Right-click this value name and press Delete.
16. Navigate to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
17. Locate a value name called EnableLUA, its value data should be set to 0.
18. Right-click the mentioned value name and replace 0 with 1.
19. Exit Registry Editor.
20. Empty your Recycle Bin.
21. Restart the computer.