Balbaz Ransomware Removal Guide

Do you know what Balbaz Ransomware is?

Balbaz Ransomware is yet another ransomware-type computer infection based on the Hidden-Tear project. Hence, it is similar to Matroska Ransomware, MoWare H.F.D Ransomware, Executioner Ransomware and several others. It was designed to encrypt your personal files and then offer you to purchase a decryption key to get them back. However, we advise you to remove it instead because you cannot be sure that the developers of this ransomware will send you the decryption key once you have paid. Our malware analysts say that this ransomware can infect your PC through malicious emails that you can receive. The emails can appear to be legitimate at first, but they are disguised to appear as invoices, receipts, and so on.

If Balbaz Ransomware happens to infect your PC, then it will start encrypting your files immediately. It uses the Advanced Encryption Standard (AES) to encrypt your files. It targets many file types with an emphasis on pictures, videos, audio files, documents, file archives, executables, and so on to encrypt as many valuable files as possible so that you would be more inclined to take the risk and pay the ransom. Testing has shown that this ransomware adds a second ".WAmarlocked" file extension to the end of each file name to indicate that a file has been encrypted. After the files were encrypted, it drops a ransom note named READ_IT.txt. The note says that you need to “Send me BTC or food to get decryption passcode.” Of course, the cyber criminal want money more than food and demands that you pay the ransomware in Bitcoins. The sum to be paid is not specified. The note instructs you to visit one of two websites to get additional information on how to pay. If you cannot connect, however, then you have to get the Tor browser to access them. However, testing has shown that the websites are no longer working, so you will not be able to pay the ransom. The ransomware features a timber that is set to run out in 7 days and then the private decryption key will, allegedly, be deleted.

There are two known slightly different versions of this ransomware, but both of them are designated 1.00. The differences are rather cosmetic and include differences in the user interface windows, and the ransom notes are slightly different as well. Nevertheless, both of them work the same and are equally dangerous. As mentioned in the introduction, Balbaz Ransomware is based on the Hidden-Tear project, so it uses the Hidden-Tear ransomware engine. There are several similar applications that work similarly to this particular ransomware, and all of them are dangerous.Balbaz Ransomware Removal GuideBalbaz Ransomware screenshot
Scroll down for full removal instructions

Now let us talk distribution. Apparently, like all of the Hidden-Tear ransomware, Balbaz Ransomware was designed to be distributed via email spam. Our researchers believe that its developer set up an email server that sends an email to a list of obtained email addresses. The emails can be disguised as receipts, invoices or something similar and suggest opening an attached file that looks like a document but is actually Balbaz Ransomware’s dropper file set to place this ransomware’s executable in one of two possible locations.

In closing, Balbaz Ransomware is highly malicious computer infection that that can infect your PC secretly and then encrypt many of your valuable files. Its developer wants you to pay money for a decryption key, but the websites required to pay the ransom are not down, so you cannot pay it even if you wanted to. Therefore, you should remove it if it has infected your PC. You can use an anti-malware program such as SpyHunter, but you can delete it manually as well. We have composed a manual removal guide that you can consult below.

Removal Guide

  1. Hold down Windows+E keys.
  2. Type %HOMEDRIVE%\user\Rand123 or %HOMEDRIVE%\user in the address bar.
  3. Press Enter.
  4. Find local.exe, ransom.png$ or ransom.jpg$.
  5. Right-click it and click Delete.
  6. Close the File Explorer window.

Delete the registry subkey

  1. Hold down Windows+R keys.
  2. Type regedit in the box and hit Enter.
  3. Navigate to HKCU\Control Panel\Desktop
  4. Find the Wallpaper subkey.
  5. Right-click it and click Modify.
  6. Erase C:\\user\\ransom.jpg from the value data line.
  7. Close the Registry Editor.
  8. Right-click the Recycle Bin and click Empty the Recycle Bin.

In non-techie terms:

Balbaz Ransomware is an application designed to infect your PC and encrypt your files with a strong encryption algorithm and then offer you to buy a decryption key. However, you cannot buy a decryption key because its associated websites are down, so you cannot do that. What you can do, however, is remove this ransomware from your PC altogether.