Balbaz Ransomware Removal Guide

We have bad news for you if your files have received a new extension .WAmarlocked and can no longer be opened – a nasty malicious application Balbaz Ransomware has entered your system successfully. You can no longer open your pictures, documents, videos, and other valuable files because they have been encrypted by this ransomware infection. These malicious applications do not try to make fun of users by not allowing them to access the files they need. They simply seek to obtain money from users by locking the most valuable files they have. There are two different versions of Balbaz Ransomware, but they both act very similarly, so no matter which one of them you encounter, you will still discover plenty of locked files. Do not even think about purchasing a decryption tool (yes, you will be offered to do that). You might not be able to unlock your files without the special decryption tool; however, there are no guarantees that you could do this after sending money in exchange for decryption software to cyber criminals either. As a consequence, our experienced specialists recommend simply getting rid of Balbaz Ransomware. Do not delete those encrypted files having the .WAmarlocked extension, especially if some important files have been encrypted, because there is a slight possibility that they could be unlocked one day for free.

Balbaz Ransomware is unique in a sense that it not only drops a ransom note on Desktop, but it also changes Desktop wallpaper and opens a red window to inform users about the entire situation. Consequently, it is impossible not to notice the entrance of this ransomware infection. Victims quickly find out what has happened to their files if they read these messages left for them. Also, they find out that paying a ransom is the only way to get files back easily and quickly. At the time of writing, the size of the ransom was $200, but it might vary. We hope that you are not planning on transferring money to malicious software developers. It is not recommended to purchase “decrypt software” because nobody knows whether you will receive it and whether it could really unlock your files. Unfortunately, there are not many alternative ways to restore the encrypted data, i.e. those files with .WAmarlocked. Keep in mind that ruined files can always be restored from a backup. Of course, it is bad if you do not have one because it is the only solution to the problem that is left for you.

Almost all HiddenTear-based ransomware infections are spread via spam emails as attachments, so Balbaz Ransomware should be disseminated using the same method as well. There is no doubt that it has successfully entered your computer if your files are encrypted, Desktop wallpaper has been changed, a red window can be found on the screen, and there is a new file READ_IT.txt on Desktop. More experienced victims should also be able to find the file local.exe in the directory %HOMEDRIVE%\user\Rand123 after its entrance – it is not the only file this threat creates on victims’ machines. Researchers who have analyzed this threat also say that it creates ransom.jpg$ or ransom.png$ in %HOMEDRIVE%. Since it drops additional files, it might be slightly harder to delete this infection, but you should manage to take care of it yourself with our help.

As mentioned in the previous paragraph, many ransomware infections are spread via spam emails, so if you want to ensure the protection of your data, you should ignore all emails in the Spam mail folder. It is, of course, not the only distribution method that might be adopted to spread ransomware-type infections, so you must install security software too.

Delete Balbaz Ransomware as soon as possible even though the removal of this infection does not mean that your files will be unlocked. Just follow the step-by-step removal instructions you will find placed below this article. If are looking for a quicker and/or easier solution to this problem, perform a system scan with a reputable automatic malware remover – you will need to acquire it first if you do not have one yet.

Delete Balbaz Ransomware

1. Tap Win+R to launch RUN.
2. Enter regedit.exe in the command line.
3. Click OK.
4. Go to HKCU\Control Panel\Desktop and find the Wallpaper value.
5. Double-click it and delete data from the Value data field. Click OK.
6. Close Registry Editor.
7. Press Win+E simultaneously.
8. Delete local.exe from %HOMEDRIVE%\user\Rand123 (access this directory by typing it in the address bar of your Explorer and pressing Enter).
9. Open %HOMEDRIVE%\user.
10. Delete ransom.jpg$ or ransom.png$.
11. Clear Recycle bin.