What is Hc6 ransomware? And how does it implement its attack?
Hc6 ransomware is a vicious file-encrypting threat designed to make them unreadable to its victims. Its attacks were first discovered on November 8, 2017. It seems like this crypto-malware is an independent encryption ransomware project and is not part of a larger ransomware group just like Hidden Tear or EDA2. It aims to target computer networks and once a computer connected to a network is infected, hc6 ransomware continues to cause havoc in the network of computers further infecting more users in the process. After its successful infiltration, it begins to scan the entire drive of the computer looking for files to encrypt. According to security experts, it encrypts the following file extensions:
.001, .3fr, .3gp, .7z, .ARC, .DOT, .MYD, .MYI, .NEF, .PAQ, .SQLITE3, .SQLITEDB, .accdb, .aes, .ai, .apk, .arch00, .arw, .asc, .asf, .asm, .asp, .asset, .avi, .bar, .bay, .bc6, .bc7, .big, .bik, .biz, .bkf, .bkp, .blob, .bmp, .brd, .bsa, .cas, .cdr, .cer, .cfr, .cgm, .class, .cmd, .cpp, .cr2, .crt, .crw, .csr, .css, .csv, .d3dbsp, .das, .dazip, .db0, .dbf, .dbfv, .dch, .dcr, .der, .desc, .dif, .dip, .djv, .djvu, .dmp, .dng, .doc, .docb, .docm, .docx, .dotm, .dotx, .dwg, .dxg, .epk, .eps, .erf, .esm, .exe, .ff, .fla, .flv, .forge, .fos, .fpk, .frm, .fsh, .gdb, .gho, .gpg, .hkdb, .hkx, .hplg, .htm, .html, .hvpl, .hwp, .ibank, .ibd, .icxs, .indd, .itdb, .itl, .itm, .iwd, .iwi, .jar, .java, .jpeg, .jpg, .js, .kdb, .kdc, .key, .kf, .lay, .lay6, .layout, .lbf, .ldf, .litemod, .log, .lrf, .ltx, .lvl, .m2, .m3u, .m4a, .map, .max, .mcgame, .mcmeta, .mdb, .mdbackup, .mddata, .mdf, .mef, .menu, .mid, .mkv, .mlx, .mml, .mov, .mp3, .mpeg, .mpg, .mpqge, .mrwref, .ms11 (Security copy), .ncf, .nrw, .ntl, .ocx, .odb, .odc, .odm, .odp, .ods, .odt, .orf, .otg, .ots, .ott, .p12, .p7b, .p7c, .pak, .pas, .pdd, .pdf, .pef, .pem, .pfx, .php, .pkpass, .pl, .png, .ppam, .ppsm, .ppsx, .ppt, .pptm, .pptx, .psd, .psk, .pst, .ptx, .py, .qcow2, .qdf, .qic, .r3d, .raf, .rar, .raw, .rb
Take note that the extensions listed above are only a fraction of the files it encrypts as Hc6 ransomware encrypts dozens of file extensions in its wake. During the encryption, it encrypts the targeted files using a combination of AES 256 CBC and SHA 256 encryption algorithms. It then proceeds to mark each file using the .fucku extension. After that, it drops its ransom note in a file named recover_your_fies.txt which is full of grammatical errors. It reads:
“ALL YOUR FILES WERE incript.
ORDER, TO RESTORE THIS FILE, YOU MUST SEND AT THIS ADDRESS
FOR $ 2500 BTC FOR ALL NETWORK
[BTC WALLET] AFTER PAYMENT SENT EMAIL [email protected]
FOR INSTALLATION FOR DECRIPT
NOT TO TURN OFF YOUR COMPUTER, UNLESS IT WILL BREAK”
As usual, paying the ransom is not a solution. In fact security experts are strongly against this as there is no guarantee that the crooks will really give you the encryption key to recover your files and besides there is already a free decryptor available online which you can use if you happen to be one of the unlucky victims of Hc6 ransomware.
How does Hc6 ransomware spread its malicious payload?
Hc6 ransomware spreads its malicious payload by hacking into unsecure and poor remote desktop services. Once the crooks get a hold of a computer in a network, it will download and install the malicious payload for Hc6 ransomware to begin its attack.
Eliminate Hc6 ransomware by following the set of removal instructions provided below.
Step 1: Reboot your PC into Safe Mode with Networking.
Step 2: Tap Ctrl + Shift + Esc to open the Task Manger.
Step 3: Once you’ve opened the Task Manager, go to the Processes tab and look for Hc6’s process, Hc6.exe and end it by clicking on End Task or End Process.
Step 3: Close the Task Manager.
Before you proceed to the next steps below, make sure that you are tech savvy enough to the point where you know exactly how to use and navigate your computer’s Registry. Keep in mind that any changes you make will highly impact your computer. To save you the trouble and time, you can just use PC Cleaner Pro, this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then by all means go on to the next steps.
Step 4: Tap Win + R to open Run and then type in regedit in the field and tap enter to pull up Windows Registry.
Step 5: Navigate to the following path:
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- HKCU\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run
- HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\
- HKLM\SOFTWARE\Microsoft\Tracing\
Step 6: Delete the registry keys and sub-keys created by Hc6 ransomware.
Step 7: Close the Registry Editor.
Step 8: Open Control Panel by pressing the Windows key + R, then type in appwiz.cpl and then click OK or press Enter.
Step 9: Look for Hc6 Ransomware and any suspicious program and then Uninstall it/them.
Step 10: Tap Win + E keys to launch File Explorer.
Step 11: Navigate to the following locations below and look for Hc6 ransomware’s malicious component such as recover_your_fies.txt and other suspicious files and remove all of them.
- %TEMP%
- %APPDATA%
- %USERPROFILE%\Downloads
- %USERPROFILE%\Desktop
Step 12: Close the File Explorer and empty your Recycle Bin.
You have to make sure that nothing is left behind and that the Hc6 ransomware infection is completely removed from your PC. To do so, use the following antivirus program – refer to the instructions below.
Perform a full system scan using SpyRemover Pro. To do so, follow these steps:
- Turn on your computer. If it’s already on, you have to reboot
- After that, the BIOSscreen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.
- To navigate the Advanced Optionuse the arrow keys and select Safe Mode with Networking then hit
- Windows will now load the SafeMode with Networking.
- Press and hold both R key and Windows key.
- If done correctly, the Windows Run Boxwill show up.
- Type in explorer http://www.fixmypcfree.com/install/spyremoverpro
A single space must be in between explorer and http. Click OK.
- A dialog box will be displayed by Internet Explorer. Click Run to begin downloading the program. Installation will start automatically once download is done.
- Click OK to launch it.
- Run SpyRemover Pro and perform a full system scan.
- After all the infections are identified, click REMOVE ALL.
Register the program to protect your computer from future threats.