Bricks Ransomware is a file-encrypting malware strain that belongs to the ransomware family of threats designed to lock victims' data and extort payment for its release. Once executed on a system, this malware encrypts documents, images, databases, and other valuable files using strong cryptographic algorithms, appending a distinctive extension to encrypted files and dropping ransom notes demanding payment in cryptocurrency. While the specific implementation details vary across samples, Bricks Ransomware follows the typical modern ransomware playbook: rapid encryption, network propagation attempts, and deadline-based payment demands.

Bricks Ransomware — cybersecurity illustration
Photo by AI25.Studio Studio on Pexels

Like most ransomware variants active today, Bricks targets both individual users and business networks, though its distribution methods suggest opportunistic infection rather than highly targeted campaigns. The threat is particularly dangerous because it can spread laterally across poorly secured networks, potentially encrypting shared drives and backup locations before victims realize an infection has occurred.

Think you're infected right now? Immediately disconnect the affected computer from your network (unplug the ethernet cable or disable Wi-Fi). Do not shut down the machine yet — this preserves evidence and running processes that may aid recovery. If you're on a business network, alert your IT contact immediately. For home users in Roswell, call us at (770) 594-7444 before attempting removal yourself.

Threat Profile

AttributeDetails
Threat TypeRansomware (File Encryptor)
FamilyBricks Ransomware family
Known AliasesVaries by sample; may appear in detection engines as Ransom:Win32/Bricks or similar heuristic names
Platforms AffectedWindows (7, 8, 8.1, 10, 11); server versions vulnerable on unpatched systems
Encryption MethodHybrid asymmetric/symmetric encryption (typical for this family); uses AES or similar for speed with RSA for key protection
File ExtensionAppends custom extension to encrypted files (varies by variant; commonly .bricks or similar identifier)
Ransom Note FilenameVaries; typically HOW_TO_DECRYPT.txt, README.txt, or HTML file placed in affected directories
Distribution MethodsMalicious email attachments, exploit kits, RDP brute-force, bundled with cracked software, drive-by downloads
Persistence MechanismMay establish persistence via Run registry keys or scheduled tasks; some variants disable recovery features immediately
Network BehaviorAttempts to communicate with command-and-control servers for key exchange; may scan local network for additional targets
System ImpactHigh CPU usage during encryption phase; may delete Volume Shadow Copies and disable Windows Recovery; disables antivirus processes when possible
Removal DifficultyModerate to High — the malware itself can be removed, but encrypted files remain locked without decryption keys

How It Spreads

Bricks Ransomware primarily relies on social engineering and system vulnerabilities to gain initial access. The most common infection vector involves phishing emails containing malicious attachments disguised as invoices, shipping notifications, or urgent business documents. These attachments typically arrive as ZIP archives containing JavaScript files, malicious Office documents with embedded macros, or executables with double extensions designed to appear legitimate.

The threat also propagates through exploit kits hosted on compromised legitimate websites or malicious advertising networks. When users visit these sites with outdated browsers or plugins, the exploit kit silently probes for vulnerabilities and deploys the ransomware payload without any visible warning. Additionally, Bricks has been observed bundled with pirated software, key generators, and fake codec installers distributed through torrent sites and file-sharing platforms.

Common distribution methods include:

  • Phishing emails with weaponized attachments (Office documents with macros, PDF files with embedded executables, ZIP archives)
  • Malvertising campaigns that redirect users to exploit kit landing pages
  • RDP brute-force attacks against exposed Remote Desktop Protocol connections with weak passwords
  • Software piracy channels where the ransomware is bundled with cracked applications or license generators
  • Drive-by downloads from compromised legitimate websites that have been injected with malicious scripts
  • Malicious browser extensions or fake software updates that claim to be Flash Player or codec installers
  • Secondary infection by existing trojans or backdoors already present on compromised systems

What It Does On Your Machine

Upon execution, Bricks Ransomware immediately begins a multi-stage attack sequence. The initial dropper component unpacks the main encryption payload into a temporary location, often within the %LOCALAPPDATA% or %APPDATA% directories using randomly generated folder names or GUID-style identifiers. The malware then establishes persistence by creating registry entries in the Run keys or scheduling tasks to survive system reboots, though many variants prioritize speed over persistence since the damage is done during the first execution.

Before beginning encryption, the ransomware typically performs reconnaissance to identify valuable targets. It scans all accessible drives including mapped network shares, USB devices, and cloud storage sync folders for files matching specific extensions. Documents, images, databases, archives, and source code files are prioritized. Simultaneously, the malware often attempts to disable Windows Defender, delete Volume Shadow Copies using commands like vssadmin delete shadows /all /quiet, and disable System Restore to eliminate recovery options. This preparatory phase happens rapidly, often within seconds.

Typical Bricks Ransomware Artifacts
C:\Users\[Username]\AppData\Local\{GUID}\bricks_enc.exe
C:\Users\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files.lnk
; Registry persistence entries
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\BricksUpdate = "C:\Users\...\bricks_enc.exe"
; Ransom notes placed in affected directories
C:\Users\[Username]\Documents\HOW_TO_DECRYPT.txt
C:\Users\[Username]\Desktop\README.html
; Encrypted files with modified extensions
C:\Users\[Username]\Documents\report.docx.bricks
C:\Users\[Username]\Pictures\photo.jpg.bricks

The encryption process itself uses strong cryptographic algorithms that make decryption without the proper keys virtually impossible. Each file is encrypted with a unique symmetric key, which is then encrypted with an asymmetric public key controlled by the attackers. The encrypted files receive a new extension and become completely inaccessible to normal applications. During this process, you may notice significant hard drive activity, elevated CPU usage, and temporary system slowdowns. Once encryption completes, ransom notes appear on the desktop and in every folder containing encrypted files, providing payment instructions and threatening permanent data loss if payment isn't made within a specified timeframe.

Manual Removal — Step by Step

01

Isolate the Infected System

Immediately disconnect from all networks by disabling Wi-Fi and unplugging ethernet cables. This prevents the ransomware from encrypting network shares or spreading to other computers. Do not reconnect until the infection is completely removed and verified clean. If the computer is part of a business network, notify your IT department before proceeding.

02

Boot Into Safe Mode with Networking

Restart the computer and repeatedly press F8 (or Shift+F8 on some systems) before Windows loads. Select "Safe Mode with Networking" from the boot options menu. On Windows 10/11, you may need to hold Shift while clicking Restart, then navigate to Troubleshoot > Advanced Options > Startup Settings > Restart, then press 5 for Safe Mode with Networking. This loads Windows with minimal drivers and prevents most malware from executing automatically.

03

Identify and Terminate Malicious Processes

Press Ctrl+Shift+Esc to open Task Manager. Look for suspicious processes with random names, high CPU usage, or unfamiliar locations. Check the "Open File Location" option (right-click the process) to see where it's running from. Processes originating from %TEMP%, %LOCALAPPDATA% with GUID folder names, or unusual system folders are suspect. Note the process name and location before terminating it via "End Task."

04

Remove Persistence Mechanisms

Open Registry Editor (press Windows+R, type regedit, press Enter). Navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run and HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. Look for unfamiliar entries pointing to executables in suspicious locations and delete them. Also check Task Scheduler (type taskschd.msc in Run) for scheduled tasks with random names or suspicious actions and delete any related to the malware.

05

Delete the Malware Files

Navigate to the folder locations you identified in Step 3 (typically in %LOCALAPPDATA%, %APPDATA%, or %TEMP%). Delete the entire folder containing the ransomware executable. Also check your Desktop, Downloads folder, and recent email attachment locations for the original infection file. Empty the Recycle Bin when finished to ensure complete removal.

06

Run Comprehensive Malware Scans

Download and install Malwarebytes (free version is sufficient) if not already present. Run a full system scan and quarantine all detected threats. Follow up with a scan using Windows Defender or another reputable antivirus. Some ransomware variants install additional payloads or backdoors, so thorough scanning is essential even if you've removed the primary executable.

07

Clean Browser Settings

Some ransomware variants modify browser settings to display persistent ransom messages. In each installed browser (Chrome, Edge, Firefox), reset settings to defaults through the settings menu. Clear all browsing data including cookies, cache, and site data. Remove any unfamiliar extensions that may have been installed as part of the infection chain.

08

Check for Data Exfiltration Indicators

Some modern ransomware variants steal data before encrypting. Review any ransom notes carefully — if they threaten to publish your data, assume some information was compromised. Change passwords for all important accounts, especially email, banking, and business systems. Use a different, clean computer for password changes if possible, and enable two-factor authentication wherever available.

09

Reboot and Verify Removal

Restart the computer normally (not in Safe Mode) and observe its behavior carefully. Check Task Manager for any suspicious processes returning. Run another quick scan with your antivirus software. Verify that no new ransom notes appear and that the malware hasn't re-established itself. Monitor system behavior for at least 24 hours before considering the machine clean.

10

Address Encrypted Files

Unfortunately, removing the malware doesn't decrypt your files. Check resources like ID Ransomware or NoMoreRansom.org to identify your specific variant and see if free decryption tools exist. Restore files from clean backups if available. Never pay the ransom — payment doesn't guarantee decryption and funds criminal operations. If files are business-critical and no backup exists, professional data recovery services may offer options, though success isn't guaranteed.

Prevention

  1. Maintain offline backups using the 3-2-1 rule: three copies of data, on two different media types, with one stored offline. Ransomware cannot encrypt what it cannot reach. Regularly verify backups actually work by performing test restorations.
  2. Keep all software updated including Windows, browsers, Java, Adobe products, and all applications. Enable automatic updates where possible. Most ransomware exploits known vulnerabilities that patches have already addressed.
  3. Configure proper email security by enabling spam filters, blocking executable attachments at the email gateway, and training yourself and employees to recognize phishing attempts. Be especially wary of unexpected invoices, shipping notifications, or urgent requests requiring immediate action.
  4. Restrict user privileges by running with standard user accounts for daily work rather than administrator accounts. This limits malware's ability to make system-wide changes, delete shadow copies, or spread across networks.
  5. Secure Remote Desktop Protocol if you use RDP by requiring strong passwords, implementing account lockout policies, using VPNs for remote access instead of exposing RDP directly to the internet, and enabling Network Level Authentication.
  6. Deploy reputable endpoint protection with real-time scanning enabled and definitions automatically updated. While no antivirus catches everything, modern solutions with behavioral detection can stop many ransomware variants before encryption begins.
  7. Disable macros by default in Microsoft Office applications and only enable them for trusted documents from verified sources. Configure Office to require user approval before running macros, and never enable them in documents received via email from unknown senders.
  8. Implement network segmentation to prevent ransomware from spreading laterally. Critical systems and file servers should be isolated on separate network segments with restricted access, and shared drives should have appropriate permission controls limiting who can modify or delete files.
Our 90-Day Workmanship Warranty
When Computer Repair Roswell removes malware from your system, we stand behind our work. If the same infection returns within 90 days due to incomplete removal, we'll re-clean your computer at no additional charge. That's our commitment to getting it right the first time.

Bring It In

Ransomware removal requires thorough work to ensure complete elimination of all malware components, and dealing with encrypted files adds another layer of complexity. While the steps above outline the general process, many infections include rootkit components, multiple persistence mechanisms, or companion malware that manual removal might miss. If you're not completely comfortable working in Safe Mode, editing the registry, or identifying suspicious processes, professional assistance ensures the job gets done right without risking further damage.

Our shop on Houze Road in Roswell handles ransomware cases regularly, and we understand the urgency these infections create. We'll thoroughly clean your system, help you understand what happened, implement better defenses, and advise on file recovery options based on your specific situation. Call (770) 594-7444 or bring the infected computer in during business hours — we'll assess the situation and provide honest guidance on the best path forward, whether that's professional cleaning, recovery attempts, or restoration from backup.