Skip to content
  • Active
  • Severity: High
  • Ransomware
  • Windows
  • Verified · Jun 2021

How to remove Badfail@qq.com ransomware

A step-by-step removal guide for affected devices. Follow the verified procedure below — most readers complete it in under 10 minutes.

Lucia Danes · Virus researcher

Badfail@qq.com is a crypto-malware that marks all encoded files with a lengthy appendix

Badfail@qq.com ransomware renders personal files unreadable

Badfail@qq.com is classified as a crypto-ransomware virus.[1] It stems from a relatively old and infamous family of ransomware, dubbed as Dharma. It shares the same behavioral traits and design with Arrow ransomware, so experts consider it to be a direct variation of Arrow ransomware. The activity of this infection has been spotted at the end of March 2018 when victims reported their files locked by Badfail@qq.com file extension.

Ransomware researchers claim that the Badfail@qq.com virus exploits AES-256[2] cipher to render the most popular file types unreadable. An example of a file encrypted by the virus looks like test1.Badfail@qq.com.

Before getting the chance to start data corruption, this ransomware virus has to hijack the system (compatible with 32-bit and 64-bit systems). Usually, it finds its way into the system via malspam campaigns, but the payload can also be spread via drive-by-download attacks and exploit kits.

Name Badfail@qq.com
Type Ransomware
Danger level High. Locks personal files and can damage them permanently
Family Dharma ransomware, Arrow ransomware
File extensions Badfail@qq.com, but can sometimes replace with .arrow, Blammo@cock.li or bitcoin888@cock.li
Symptoms The most popular file types inaccessible, ransom note generated on the desktop, antivirus blocked, random crashes
Decryptable Not confirmed yet
Removal Install a trustworthy security tool and set it run a deep system scan. Manual removal not possible
Repair The machine gets significantly affected when the malware is present. You should run the app like FortectIntego and clean any virus damage that gets found

Once installed, it launches Command Prompt with Administrative privileges, so the victim can see a black window popping up on the screen for a couple of seconds. Ransomware runs multiple scripts, one of which commands to remove Windows Volume Shadow Copies. Besides, it installs multiple files in %APPDATA%, C:\Windows\System32, C:\Windows\System64, C:\Windows\System Files.

Unauthorized system changes are followed by data encryption. The ransomware uses a complicated AES cipher, which appends the Badfail@qq.com file extension to the following file formats:

.gpx, .kml, .kmz, .asp, .aspx, .cer, .cfm, .csr, .css, .htm, .html, .js, .jsp, .php, .rss, .xhtml, .doc, .docx, .log, .msg, .odt, .pages, .rtf, .tex, .txt, .wpd, .wps, .csv, .dat, .ged, .key, .keychain, .pps, .ppt, .pptx, .ini, .prf, .hqx, .mim, .uue, .7z, .cbr, .deb, .gz, .pkg, .rar, .rpm, .sitx, .tar.gz, .zip, .zipx, .bin, .cue, .dmg, .iso, .mdf, .toast, .vcd, .sdf, .tar, .tax2014, .tax2015, .vcf, .xml, .aif, .iff, .m3u, .m4a, .mid, .mp3, .mpa, .wav, .wma, .3g2, .3gp (the list is not definite).

The virus can alter the extension and, instead of the mentioned, append one of the following:

.arrow
.id-{id}.[bitcoin888@cock.li].arrow
.id-{id}.[Blammo@cock.li].arrow
.id-{id}.[marat20@cock.li].arrow
.id-{id}.[vauvau@cock.li].arrow

The victim is expected to notice locked files in the first place. However, a ransom note is yet another clear symptom of an attack. The note is typically disclosed in the form of a text file on the desktop or in each folder that contains encoded data.
The ransom note demands a victim to pay the ransom in Bitcoin crypto coins and initiate a transaction via Bitcoin wallet via Tor browser. Before that, he or she has to email the developers via  Blammo@cock.li or Badfail@qq.com to get personalized instruction.

Badfail@qq.com virus is a version of Arrow ransomware

If your PC has already been attacked by this crypto-extortionist, we are sorry for you. However, we along with partners from bedynet.ru[3] do not recommend you to pay the ransom. Instead of that, initiate an in-depth system scan with FortectIntego or SpyHunterCombo Cleaner to remove the malware with the whole pack of malicious files.

Badfail@qq.com removal is the only smart move that you can take in this kind of situation. Paying the ransom does not give a guarantee that cybercriminals will unlock your files. They can either vanish entirely after receiving your payment or sent you a fake decryptor that is not capable of decrypting a single file.

Therefore, to protect yourself from losing money, remove Badfail@qq.com as soon as possible and decrypt data using one of the alternative data decryption methods listed at the end of this post.

NOTE: you can try to launch Dharma Decryptor right after the removal. This ransomware is an offspring of Dharma so that the decryptor might work. However, note that this ransomware more than ten different versions, some of which give up for deciphering and the others don't.

Crypto-malware spreads in many tricky ways: beware of a few

Ransomware is a type of infection that can damage most if not all personal files on the targeted PC. It is capable of doing so due to complex cryptography methods employed, and multiple system's changes initiated. However, complex performance would be a zero threat if cybersecurity experts would find a wall to stop ransomware dissemination. Currently, crooks manage to foist thousands of ransomware payloads worldwide via the following mediums:

  • Malicious email attachments;
  • Illegal websites;
  • Fake software updates;
  • Infected advertising platforms;
  • Exploit kits.

One of the precautionary measures that have to be taken to protect the system from a ransomware attacks is the right choice of anti-malware. Read license terms and analyze what features the tool has to ensure as strong protection as possible. Real-time protection is a must.

Besides, avoid visiting adult content, gambling, and other potentially dangerous domains. Besides, restrain from clicking on ads and links provided on web domains that you are not familiar with.

Learn how to get rid of Badfail@qq.com ransomware virus

Do not try to remove the threat manually. Not because you can lose the encrypted data permanently, but because you will not succeed no matter how you try. It's practically impossible to initiate Badfail@qq.com removal since it scatters malicious files all around the system.

To get rid of this cyber infection, you will be able to decrypt files using alternative methods. As we have pointed out, Badfail@qq.com is a version of Arrow and Dharma, so try a free Dharma decryptor in the first place. You can find a download link down below.

Be the first to comment

Read in your language

Spyware news
Privacy preferences

We use cookies to improve your experience and analyze traffic. Some cookies enable embedded content like videos and social posts. Choose what you allow — you can change this anytime.