What is Hacked ransomware?
Hacked ransomware originated from the Jigsaw ransomware group. This ransomware first emerged way back in December 2016 where it came as a screen-locking ransomware that appends file extensions. This isn’t the first time that Jigsaw ransomware developers released a variant, in fact, they have released other versions such as CryptoHitman, Payransom and Payms ransomware infections to name a few.
How does this ransomware execute its attack?
Unluckily, Hacked ransomware developers have managed to wrap the malware, making it unnoticeable by disguising it in a Windows Update. Without a doubt the cyber crooks behind hacked ransomware did a smooth job in doing so as the screen really looks like the real one. But just like other ransomware infections, it also has minor flaws that indicate the origin of the malicious update. The entire process takes place in a new window and that the logo of Windows is missing as well.
This new variant was recently discovered by malware researchers which add the .hacked extension to its targeted files. During the encryption, it uses RSA 4096 encryption algorithm just like what it states on its ransom note and then appends the .add extension on each file. RSA 4096 is an asymmetric encryption algorithm which generates unique public (encryption) and private (decryption) keys that are stored in a remote server.
What makes this particular variant interesting is that it presents several ransom notes in different languages like English, Italian, Spanish and Turkish. The ransom note differs depending on the language, i.e. @readme_English.txt. Aside from that, the ransomware also creates another text file named How_to_decrypt_files.txt containing the following message:
“All of your files were protected by a strong encryption with RSA4096
What happened to my files ?
Decrypting of your files is only possible with the help of private key and decryp
How can i get my files back ?
the only way to restore your files So, there are two ways you can choose
1- wait for a miracle and get your price doubled
2- or restore your data easy way if you have really valuable data
you better not waste your time, because there is no other way to get your files, except make
a payment
What should i do next ? Buy decryption key
- Buy Bitcoin (https://blockchain.info)
- Send amount of 0.5 BTC to address: 131mixVnmnijg1DPJZrTTakX3qJLpb675
- Transaction will take about 15-30 minutes to confirm.
- When transaction is confirmed, send email to us at [email protected]
- Write subject of your mail with : HACKED
- Write content of your mail with : – Restore my files Bitcoin payment : (YOUR BITCOIN
TRANSACTION ID)”
The ransom demand message states that 0.5 Bitcoins which is currently amounting to $2260, is needed in exchange for the recovery of the encrypted files. As you can see, its ransom note provides detailed instructions on how to pay the amount. However, you are not encouraged to follow them and pay the ransom. Doing so would be plain stupidity and it’s like wasting $2260 for nothing. Why? These cyber criminals aren’t exactly known to keep their end of the bargain. So the best thing that you can do is to remove the ransomware first and then try out alternative ways to restore your files. You can do that by following the set of instructions below.
Step 1: Open the Windows Task Manager by pressing Ctrl + Shift + Esc at the same time. Proceed to the Processes tab and look for suspicious processes that can be related to the Hacked Ransomware.
Right-click on the processes, then click Open File Location and scan them using a powerful and trusted antivirus like SpyRemover Pro. After opening their folders, end their processes and delete their folders. If the virus scanner fails to detect something that you know is suspicious, don’t hesitate to delete it.
Step 2: Open Control Panel by pressing Start key + R to launch Run and type appwiz.cpl in the search box and click OK.
Look for Hacked ransomware or any malicious program and then Uninstall it.
Step 3: Hold down Windows + E keys simultaneously to open File Explorer.
Step 4: Go to the directories listed below and then look for the corrupted files such as its ransom notes, @readme_English.txt and How_to_decrypt_files.txt, as well as the jpg file named hacked.jpg created by the malware.
- %APPDATA%
- %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
- %TEMP%.
- %USERPROFILE%\Downloads
- %USERPROFILE%\Desktop
The next step below is not recommended for you if you don’t know how to navigate the Registry Editor. Making registry changes can highly impact your computer. So it is highly advised to use PC Cleaner Pro instead to get rid of the entries that Hacked ransomware created. So if you are not familiar with the Windows Registry skip to Step 9 onwards.
However, if you are well-versed in making registry adjustments, then you can proceed to step 5.
Step 5: Open the Registry Editor, to do so, tap Win + R and type in regedit and then press enter.
Step 6: Navigate to the following path:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Step 7: Delete any suspicious registry value.
Step 8: Close the Registry Editor.
Step 9: Empty the Recycle Bin.
Step 10: Try to recover your encrypted files.
Note: Restoring your encrypted files using Windows’ Previous Versions feature will only be effective if Hacked Ransomware hasn’t deleted the shadow copies of your files. But still, this is one of the best and free methods there is, so it’s definitely worth a shot.
To restore the encrypted file, right-click on it and select Properties, a new window will pop-up, then proceed to Previous Versions. It will load the file’s previous version before it was modified. After it loads, select any of the previous versions displayed on the list like the one in the illustration below. And then click the Restore button.
Follow the continued advanced steps below to ensure the removal of the Hacked ransomware:
Perform a full system scan using SpyRemover Pro. To do so, follow these steps:
- Turn on your computer. If it’s already on, you have to reboot
- After that, the BIOS screen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.
- To navigate the Advanced Option use the arrow keys and select Safe Mode with Networking then hit
- Windows will now load the Safe Mode with Networking.
- Press and hold both R key and Windows key.
- If done correctly, the Windows Run Box will show up.
- Type in Apollolocker http://www.fixmypcfree.com/install/spyremoverpro
A single space must be in between Apollolocker and http. Click OK.
- A dialog box will be displayed by Internet Apollolocker. Click Run to begin downloading SpyRemover Pro. Installation will start automatically once download is done.
- Click OK to launch the program.
- Run SpyRemover Pro and perform a full system scan.
- After all the infections are identified, click REMOVE ALL.
- Register the program to protect your computer from future threats.