What is Hades Locker Ransomware?
You had better pray not to find Hades Locker Ransomware on your system because this malware threat can take most of your files hostage, which you may never see again. This ransomware can sneak onto your system without your knowledge and encrypt hundreds of file extensions in a matter of a minute or less. There is only one way for you to be able to recover your files if you pay the ransom fee. Another likely option is, of course, that you copy your backed up files back from a portable drive, if you have any. We do not usually recommend paying criminals because there is no guarantee that you will get anything for your money. Since we are talking about several hundreds of US dollars, you should think twice. Our malware specialists at anti-spyware-101.com say that there is no way to recover the encrypted files with a free tool because no such program exists yet. We suggest that you act ASAP and remove Hades Locker Ransomware from your Windows operating system.
Where does Hades Locker Ransomware come from?
Our specialists have discovered that this dangerous infection is actually a rebranded version of WildFire Ransomware. The latter threat got abandoned in late August when a team was able to seize control of the Command and Control servers (C&C), which granted them access to many of the victims’ decryption keys. This version however got much more secure and virtually impossible to hack. We have no solid information yet as to how this dangerous infection is spread; therefore, we can only assume that one or both of two most frequent ways.
First, it is quite likely that this threat is spread via spam e-mails. This is probably the most often used method to infect unsuspecting computer users with ransomware. Such a spam can be very tricky and convincing. This means that you may not even realize that this is a fake e-mail at first sight. And, that is enough for you to want to open it. However, once you see the content, you will most likely want to save the attached file and see it because usually it claims to be, for instance, a copy of an unsettled invoice or a flight booking with wrongly given credit card details. Most likely anyone would want to see this file, which can be a macro-enabled text file (.docm) or an image (.jpg or .bmp). However, downloading and running this attachment could cost you all your files because this attack is initiated this way. If you remove Hades Locker Ransomware after realizing its presence, you will not save your files from encryption.
Second, it is possible that these crooks will use Exploit Kits to drop this infection onto your machine. Since these kits take advantage of outdated software bugs related to your browsers and drivers (Flash and Java), obviously, it is imperative that you keep all these up-to-date to avoid such infections. You should know that simply loading malicious websites armored with Exploit Kits into your browsers can activate the malicious script hidden in the page and this can infect your system.
How does Hades Locker Ransomware work?
Our specialists found that this malware program, once activated, connects to “ip-api.com/xml,” which is a legitimate website for checking IP address and physical location information. After retrieving the necessary data, this infection sends the unique ID of the victim called "hwid", a tracking ID, the computer name, the user name, the location, and the IP address to one of the configured C&C servers, which will send the encryption key to the computer. This may take around 3 to 5 minutes, but after this ransomware is set up, it will only spend 30 to 60 seconds to finish encrypting the targets files with the AES algorithm. The encrypted files get a ".~HLN3WQG" extension. This infection also creates three ransom note files in every affected folder: "README_RECOVER_FILES_[victim_id].html," "README_RECOVER_FILES_[victim_id].png," and "README_RECOVER_FILES_[victim_id].txt."
At the end of the amok running, your desktop background is replaced to display the ransom note window. This note informs you about the attack and how you can get hold of the decryption password and the software. Obviously, you have to visit a website where you find information about how to pay. In this case, you are asked to transfer 1 BTC, which is around 600 USD. However, if you fail to do so within a week, this amount doubles. Unfortunately, we cannot say with 100% certainty that if you pay, you will be able to recover your files; on the contrary, in fact. Our experience indicates that criminals rarely send the password or a tool. Therefore, we suggest that, when you make up your mind, remove Hades Locker Ransomware.
How can I delete Hades Locker Ransomware?
In order for you to be able to manually remove Hades Locker Ransomware from your system, you need to locate the related files and delete them all. Please use our step-by-step instructions below if you feel up to this task. However, if you want to go for a more efficient way, we suggest that you use an up-to-date anti-malware program that will also safeguard your computer from future malware attacks. For best results, it is also essential that you keep all your programs and drivers updated. Should you need any assistance with the removal of Hades Locker Ransomware, please leave us a comment below.
Remove Hades Locker Ransomware from Windows
- Press Win+E.
- Locate the malicious file you downloaded and delete it.
- Locate the random-name executable file that could be in one of these locations:
"%APPDATA%\wow6232node\[random name].exe"
"%TEMP%\RarSFX0\[random name].exe" - Remove the point of execution located here:
Windows XP: "%ALLUSERSPROFILE%\Start Menu\Programs\Startup\[random name].exe"
Windows Vista and above: "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\[random name].exe" - Find and bin all occurrences of the ransom note files.
- Empty your Recycle Bin.
- Press Win+R and type regedit. Press OK.
- Remove these registry keys:
HKCU\Software\WOW6232Node\hwid
HKCU\Software\WOW6232Node\status - Exit the editor.
- Restart your PC.
tested removal of Hades Locker Ransomware*
0 Comments.