Badfail@qq.com is a crypto-malware that marks all encoded files with a lengthy appendix

Badfail@qq.com is classified as a crypto-ransomware virus.[1] It stems from a relatively old and infamous family of ransomware, dubbed as Dharma. It shares the same behavioral traits and design with Arrow ransomware, so experts consider it to be a direct variation of Arrow ransomware. The activity of this infection has been spotted at the end of March 2018 when victims reported their files locked by Badfail@qq.com file extension.
Ransomware researchers claim that the Badfail@qq.com virus exploits AES-256[2] cipher to render the most popular file types unreadable. An example of a file encrypted by the virus looks like test1.Badfail@qq.com.
Before getting the chance to start data corruption, this ransomware virus has to hijack the system (compatible with 32-bit and 64-bit systems). Usually, it finds its way into the system via malspam campaigns, but the payload can also be spread via drive-by-download attacks and exploit kits.
| Name | Badfail@qq.com |
| Type | Ransomware |
| Danger level | High. Locks personal files and can damage them permanently |
| Family | Dharma ransomware, Arrow ransomware |
| File extensions | Badfail@qq.com, but can sometimes replace with .arrow, Blammo@cock.li or bitcoin888@cock.li |
| Symptoms | The most popular file types inaccessible, ransom note generated on the desktop, antivirus blocked, random crashes |
| Decryptable | Not confirmed yet |
| Removal | Install a trustworthy security tool and set it run a deep system scan. Manual removal not possible |
| Repair | The machine gets significantly affected when the malware is present. You should run the app like FortectIntego and clean any virus damage that gets found |
Once installed, it launches Command Prompt with Administrative privileges, so the victim can see a black window popping up on the screen for a couple of seconds. Ransomware runs multiple scripts, one of which commands to remove Windows Volume Shadow Copies. Besides, it installs multiple files in %APPDATA%, C:\Windows\System32, C:\Windows\System64, C:\Windows\System Files.
Unauthorized system changes are followed by data encryption. The ransomware uses a complicated AES cipher, which appends the Badfail@qq.com file extension to the following file formats:
.gpx, .kml, .kmz, .asp, .aspx, .cer, .cfm, .csr, .css, .htm, .html, .js, .jsp, .php, .rss, .xhtml, .doc, .docx, .log, .msg, .odt, .pages, .rtf, .tex, .txt, .wpd, .wps, .csv, .dat, .ged, .key, .keychain, .pps, .ppt, .pptx, .ini, .prf, .hqx, .mim, .uue, .7z, .cbr, .deb, .gz, .pkg, .rar, .rpm, .sitx, .tar.gz, .zip, .zipx, .bin, .cue, .dmg, .iso, .mdf, .toast, .vcd, .sdf, .tar, .tax2014, .tax2015, .vcf, .xml, .aif, .iff, .m3u, .m4a, .mid, .mp3, .mpa, .wav, .wma, .3g2, .3gp (the list is not definite).
The virus can alter the extension and, instead of the mentioned, append one of the following:
.arrow
.id-{id}.[bitcoin888@cock.li].arrow
.id-{id}.[Blammo@cock.li].arrow
.id-{id}.[marat20@cock.li].arrow
.id-{id}.[vauvau@cock.li].arrow
The victim is expected to notice locked files in the first place. However, a ransom note is yet another clear symptom of an attack. The note is typically disclosed in the form of a text file on the desktop or in each folder that contains encoded data.
The ransom note demands a victim to pay the ransom in Bitcoin crypto coins and initiate a transaction via Bitcoin wallet via Tor browser. Before that, he or she has to email the developers via Blammo@cock.li or Badfail@qq.com to get personalized instruction.

If your PC has already been attacked by this crypto-extortionist, we are sorry for you. However, we along with partners from bedynet.ru[3] do not recommend you to pay the ransom. Instead of that, initiate an in-depth system scan with FortectIntego or SpyHunterCombo Cleaner to remove the malware with the whole pack of malicious files.
Badfail@qq.com removal is the only smart move that you can take in this kind of situation. Paying the ransom does not give a guarantee that cybercriminals will unlock your files. They can either vanish entirely after receiving your payment or sent you a fake decryptor that is not capable of decrypting a single file.
Therefore, to protect yourself from losing money, remove Badfail@qq.com as soon as possible and decrypt data using one of the alternative data decryption methods listed at the end of this post.
NOTE: you can try to launch Dharma Decryptor right after the removal. This ransomware is an offspring of Dharma so that the decryptor might work. However, note that this ransomware more than ten different versions, some of which give up for deciphering and the others don't.
Crypto-malware spreads in many tricky ways: beware of a few
Ransomware is a type of infection that can damage most if not all personal files on the targeted PC. It is capable of doing so due to complex cryptography methods employed, and multiple system's changes initiated. However, complex performance would be a zero threat if cybersecurity experts would find a wall to stop ransomware dissemination. Currently, crooks manage to foist thousands of ransomware payloads worldwide via the following mediums:
- Malicious email attachments;
- Illegal websites;
- Fake software updates;
- Infected advertising platforms;
- Exploit kits.
One of the precautionary measures that have to be taken to protect the system from a ransomware attacks is the right choice of anti-malware. Read license terms and analyze what features the tool has to ensure as strong protection as possible. Real-time protection is a must.
Besides, avoid visiting adult content, gambling, and other potentially dangerous domains. Besides, restrain from clicking on ads and links provided on web domains that you are not familiar with.
Learn how to get rid of Badfail@qq.com ransomware virus
Do not try to remove the threat manually. Not because you can lose the encrypted data permanently, but because you will not succeed no matter how you try. It's practically impossible to initiate Badfail@qq.com removal since it scatters malicious files all around the system.
To get rid of this cyber infection, you will be able to decrypt files using alternative methods. As we have pointed out, Badfail@qq.com is a version of Arrow and Dharma, so try a free Dharma decryptor in the first place. You can find a download link down below.
Was this guide helpful?
Be the first to comment