Jump to content

blklock@airmail.cc - Need VBA programmer for removal

Recommended Posts

Customer was infected from blklock@airmail.cc ransomware. Too bad Eset Internet Security was not able to find it (now it is) so it encrypted all Word, Excel, PDF and stuff like this on the harddrive.

I found out, it used "rar" to pack it with a unknown password. The files where encrypted and then renamed with "<originalName>.blklock@airmail.cc". The original files where deleted and the shadow copy where also deleted.
I was able to follow the way from the Email (ISO File with download Script) to the Batch File and also the VBA Script which was used to encrypt everything.
I also own the pgp file used to encrypt and key file from the infected PC. BUT .. i'm a total VBA noob. I understand the basics .. more or less .. but not total sure what the VBA script did in every way and how to change it to decrypt it again.

I would link the files here with some samples from the encrypted pc - but no idea if i'm alowed to, because basicly its the ransomware itself and someone could change it to use it again.

Would be nice if someone could help me or maybe even Eset is interessted in programming a removal tool.

Greetings from Germany
Nico Müller

Share this post

Link to post
Share on other sites

Before making any conclusions, please contact samples[at]eset.com and provide the following stuff from the affected machine:
- logs collected with ESET Log Collector (ESET must be installed and activated beforehand if it's not)
- a handful of encrypted files (ideally Office documents)
- the ransomware note (payment instructions).

If the files were encrypted by a 100% legitimate tool, such as PGP, it's not obviously possible to detect such. An attacker might have hacked in via RDP and use it to encrypt files. If that's the case, what failed was not the AV but the security of the system which should have prevented remote attacks via RDP. However, without logs we can now only speculate what happened but the requested logs may shed more light.

Share this post

Link to post
Share on other sites


ok thanks, i was in contact with the support.

Sadly it's not possible to decode the files because of the missing private pgp key.

You can close this thread.

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Create New...