⚠️ Overview

BadEncript is a ransomware family first identified by MalwareHunterTeam in March 2023, operating as a file-encrypting malware that appends the .badencript extension to encrypted files. It is believed to be a variant of the Chaos ransomware lineage based on code similarities, and is distributed by an unidentified threat actor primarily through phishing campaigns and cracked software download sites. The malware belongs to the Ransomware category and demands payment in Bitcoin for decryption keys.

🔧 Technical Capabilities

BadEncript uses AES-256 encryption for file locking, targeting common document, image, and database extensions while avoiding critical system files to maintain system stability. It propagates via email attachments with malicious VBA macros and through trojanized installer packages hosted on file-sharing platforms. The ransomware establishes persistence by adding a registry run key under HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun as "WindowsUpdate." It employs evasion techniques such as process hollowing and API unhooking to bypass endpoint detection, and uses a hardcoded C2 server hosted on a Tor .onion address for key retrieval and payment instructions. A ransom note named read_it.txt is dropped in every encrypted directory, containing attacker email contacts and a unique victim ID.

📜 History & Notable Incidents

The first samples of BadEncript were uploaded to VirusTotal on March 15, 2023, and were immediately flagged by only 6 of 68 antivirus engines at the time. In April 2023, a campaign targeting small businesses in Brazil and India resulted in over 200 confirmed infections, with ransom demands ranging from $300 to $1,200 per victim. No law enforcement actions or high-profile victim disclosures have been publicly reported as of early 2025.

🔍 Detection Indicators

Known SHA-256 hashes include e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 (sample from April 2023). Behavioral indicators include the creation of the mutex GlobalBadencriptMutex and outbound HTTP POST requests to the C2 endpoint /api/keys. Registry modifications under HKCUSoftwareBadencript storing encryption state are also observed.

☠️ Risk & Impact

BadEncript causes irreversible file encryption, leading to permanent data loss if backups are unavailable, with average recovery costs estimated at $1,500 per incident including forensic investigation and system restoration. The affected sectors are primarily small-to-medium enterprises in retail and healthcare, where operational downtime can reach 72 hours. No data exfiltration functionality has been confirmed in analyzed samples.

🛡️ Mitigation

Organizations should enforce email attachment scanning, disable macros by default, and maintain offline backups. Microsoft Defender for Endpoint can detect BadEncript via behavior-based rule Ransomware:Win32/Badencript!behavior; enabling controlled folder access is recommended. No dedicated decryption tool is publicly available as of March 2025.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.