Ransomware Report
You can check the latest ransomware information.
- title
- BuLock Ransomware
- Registration date
- 2026-06-02
- views
- 148
BuLock Ransomware Analysis (WhiteDefender)
1. Overview
BuLock ransomware runs on Windows systems, encrypts important file data, and adds the .bulock72 extension. As the infection progresses, it creates a ransom note named how_to_back_files.html in all of the user file data areas , and encrypts all file extensions to induce the user to immediately realize the infection.
Ransomware Information Summary
| item | detail |
|---|---|
| Ransomware names | BuLock |
| Changed extension | .bulock72 |
| ransom note | how_to_back_files.html |
| Attacker contact information (based on notes) | ithelp11@securitymy.name, ithelp11@yousheltered.com |
Sample identifier
| item | detail |
|---|---|
| Size | 53.00 KB |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | 22ff4b883468f0b2b21b2c50d5ca5bd9 |
| SHA1 | e34f09cf8f1416ab4611a6a18ff99281fad93c70 |
| SHA256 | d9135507e8dbcf15a852ec34623ea6b6d633e10032c94f187ef357ba821af893 |
| SHA512 | 9b37dff34d3ceca993bebda8e6d3f4f4a361af65ec6bdde4be54021be2dc48c176aa0b0ef2bae8433ca2957d5e3c28fe448465c3f816a5ee36a5d395bd8f4405 |
| CRC32 | 3cd4864b |
Figure 1. Desktop screen changed after BuLock infection
2. Characteristics of Ransomware Operation
BuLock ransomware is built on C++ and, upon initial execution, copies its files to the %AppData%\Local path and runs from that location. Subsequently, it registers the path of the copied executable file in the user account Startup registry to ensure automatic execution even after a system reboot, and then performs file encryption.
Figure 2. Dynamic information for copying files to the corresponding location and the generated files
Figure 3. Dynamic code and generated value registering the ransomware executable file created in the Local folder to the Users startup registry.
3. Ransomware Infection Results
When a ransomware infection occurs, encryption is performed, a ransom note is generated, and the extensions of each encrypted file are changed, rendering them unusable.
- Files, such as major documents and images, have been changed to the .bulock72 extension and have become unusable.
- how_to_back_files.html Ransom Note Generation
- Maintain user data inaccessible state
Figure 4. Example of encrypted file extension (.bulock72) changed after BuLock ransomware infection
4. WhiteDefender Support
Based on WhiteDefender standards, file encryption behaviors such as BuLock ransomware are identified by Ransomware Behavior-Detect through a behavior-based detection engine. In particular, it can detect abnormal behavior early based on patterns of large-scale file changes occurring during the file encryption process, and can stop the encryption process by blocking the process at the execution stage ( Execution Block ).
In addition, Quarantine and Restore functions operate together for file change events to minimize data damage caused by ransomware.
Figure 5. WhiteDefender Detect Viewer Detection Logs: Ransomware Behavior-Detect Detection and Execution Block / Quarantine / Restore Records
Figure 6. WhiteDefender Blocking Notification Popup: Process has been blocked due to malicious activity (BuLock.exe)
- Previous post
- No previous posts
- next post
- Slime Ransomware
