What is H34rtBl33d ransomware? And how does it carry out its attack?
H34rtBl33d ransomware is a new file-encrypting threat discovered on March 30, 2018. This new crypto-malware, according to researchers, seems to be a product developed by a group of programmers that refers to their group as “D3g1d5.Cyber.Crew”. This group of programmers even had their own Facebook page that was just deleted not too long ago after AV companies began their analysis on the H34rtBl33d ransomware.
H34rtBl33d ransomware will start to carry out its attack by dropping its malicious payload into the system. And since this ransomware threat has a complex code, it can compromise a vast number of system settings before it begins to encrypt its targeted files. In the first phase of its attack, H34rtBl33d ransomware will download and create additional malicious files and modify the Windows Registry to achieve persistence and so it can run on every system boot. After that, the encryption process begins where it mostly encrypts user-generated files like images, videos, documents, audio files, databases, archives and so on. Once the encryption process is done, H34rtBl33d ransomware appends the extension “.d3g1d5” on each one of the files. It then delivers its ransom note where it urges victims to click an in-text link and enter some site indicated by the cyber crooks behind this crypto-malware. Here’s the full context of the ransom note:
“Error! Your file could not be opened
Please Decrypt Your File Using H34rtBl33d Decrypter
–
Want Your Files Back? Click here
Find out here about H34rtBl33d Decrypter and how to return it click here
–
cheaper than wannacry!
H34rtBl33d very good ransomware in the world
–
Ransomware With Cheapest Ransom!
FACT! Ransomware that has infected your computer turned out RANSOMWARE WITH THE LOWEST CHOICE. Want your file back? Click here”
Once you get redirected to the suspicious website, “scorpionlocker.xyz”, you’ll see that its main page provides more information about the ransom amount demanded where it states:
“If You Need Your Data Back You Need To
Pay Us 0.1337 Bitcoins Hehehe
Contact: torbox3uiot6wchz.onion create a account here and email us
[email protected]
Your Data Is Safe When You Pay Us We Will Give You Key And You Can Unencrpyt Your Data
////////////////////////////// All Hope Is Gone \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
//////////////////////////////// [ Login ] \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\”
How does H34rtBl33d ransomware disseminate its malicious payload?
It isn’t clear yet how H34rtBl33d ransomware disseminates its malicious payload at the time of writing. However, it most likely uses malicious spam email campaigns just like what other ransomware infections use in distributing their malicious payload. These spam emails usually contain an infected attachment used to download and install the ransomware into the system so you need to be cautious in downloading any kind of attachment no matter who the sender is as these crooks tend to disguise the emails to make them look like they’re sent by some well-known group or company.
Use the removal instructions given below to eliminate H34rtBl33d ransomware.
Step 1: The first thing you need to do is to eliminate the process of H34rtBl33d ransomware by opening the Task Manager – simply tap the Ctrl + Shift + Esc keys on your keyboard.
Step 2: After that, click the Processes tab and look for any suspicious process that takes up a lot of system memory and then send them all.
Step 3: Now that the malicious process is eliminated, close the Task Manager.
Step 4: Next, tap Win + R, type in appwiz.cpl and click OK or tap Enter to open Control Panel’s list of installed programs.
Step 5: Under the list of installed programs, look for H34rtBl33d ransomware or anything similar and then uninstall it.
Step 6: Then close Control Panel and tap Win + E keys to launch File Explorer.
Step 7: Navigate to the following locations below and look for H34rtBl33d ransomware’s malicious components it has created and downloaded into the system and then delete all of them.
- %TEMP%
- %WINDIR%\System32\Tasks
- %APPDATA%\Microsoft\Windows\Templates\
- %USERPROFILE%\Downloads
- %USERPROFILE%\Desktop
Step 8: Close the File Explorer.
Before you go on any further, make sure that you are tech savvy enough to the point where you know exactly how to use and navigate your computer’s Registry. Keep in mind that any changes you make will highly impact your computer. To save you the trouble and time, you can just use [product-name], this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then, by all means, go on to the next steps.
Step 9: Tap Win + R to open Run and then type in regedit in the field and tap enter to pull up Windows Registry.
Step 10: Navigate to the following paths:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization
- HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaveTimeOut
- HKEY_CURRENT_USER\Control Panel\Desktop
Step 12: Delete the registry keys and sub-keys created by H34rtBl33d ransomware.
Step12. Close the Registry Editor and empty the Recycle Bin.
Try to recover your encrypted files using the Shadow Volume copies
Restoring your encrypted files using Windows’ Previous Versions feature will only be effective if H34rtBl33d ransomware hasn’t deleted the shadow copies of your files. But still, this is one of the best and free methods there is, so it’s definitely worth a shot.
To restore the encrypted file, right-click on it and select Properties, a new window will pop-up, then proceed to Previous Versions. It will load the file’s previous version before it was modified. After it loads, select any of the previous versions displayed on the list like the one in the illustration below. And then click the Restore button.
Once you’ve covered the first few steps given above, all that’s left for you to do is ensure the removal of H34rtBl33d ransomware by using a reliable program named [product-name].
Perform a full system scan using [product-code]. To do so, follow these steps:
- Turn on your computer. If it’s already on, you have to reboot
- After that, the BIOS screen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.
- To navigate the Advanced Option use the arrow keys and select Safe Mode with Networking then hit
- Windows will now load the SafeMode with Networking.
- Press and hold both R key and Windows key.
- If done correctly, the Windows Run Box will show up.
- Type in the URL address, [product-url] in the Run dialog box and then tap Enter or click OK.
- After that, it will download the program. Wait for the download to finish and then open the launcher to install the program.
- Once the installation process is completed, run [product-code] to perform a full system scan.