What is Skull HT ransomware? And how does it execute its attack?

Skull HT ransomware is another file-encrypting Trojan malware which first emerged on November 2, 2017. According to the researchers who first analyzed this ransomware, Skull HT’s malicious payload is delivered using a specially crafted corrupted PDF file which is actually an executable file. The fake PDF file is entitled “The Art of Amazon Carding.pdf.exe which is attached to spam emails.
Skull HT ransomware, as it name suggests is based on the open source platform called, HiddnTear. And it had gotten its name from the custom desktop background it applies on the infected computer which is an image of a forest with railroads and a green skill that stood out. Currently, this new ransomware is known to target English-speaking users. During its attack, it searches the entire computer drive looking for certain file extensions to target such as images, audio, video, documents, database and other user-generated files that may be of importance. Skull HT ransomware is known to use the AES 256 cipher in encrypting its targeted files. It also appends the .locked extension, i.e. image1.jpg becomes image1.jpg.locked. After that, the ransom notification is loaded as the new desktop background image as well as a text files named READ_ME.txt – both desktop background and the text file contains the following message:
“Your computer has been LOCKED
Your personal files have been encrypted.
Send Exactly 0.00156 BTC to Wallet ID 19GNGp9DSxEfWVeczhjvqvk4qVWv1fX45B
Then Email Us at [email protected] to Let Us know.
You will need to state Your wallet ID to confirm Payment, After that We will supply You with the Decryption Key And tool.
With love… Hidden Tear Project :’)”
There is no need for you to panic and pay the ransom as the files that are encrypted by Skull HT can be recovered using the Windows Previous Version feature which restores the files using their shadow volume copies. And besides that does not mean that if you pay the ransom, you get to have your files back in an instant – that’s where you’re wrong as these crooks are not exactly known to keep their promises. So it’s best if you try the alternative method of restoring your files rather than waste your money for nothing.
How does Skull HT ransomware spread its malicious payload?
As mentioned in the beginning of this post, Skull HT’s malicious script is contained in a fake PDF file as “The Art of Amazon Carding.pdf.exe”. This fake PDF file is distributed using malicious spam email campaign. Using a double extension to trick users into downloading and installing the file is not new so you better be careful in opening any kind of attachment especially if they’re from unknown senders. Cyber criminals often disguise their email message as something of urgency that convinces you to download and open the attachment. Once again, you have to beware of this as it is only a trick.
Follow the steps provided below to delete Skull HT ransomware from your computer.
Step 1: Open the Task Manger, to do so, tap Ctrl + Shift + Esc.
Step 2: After you’ve opened the Task Manager, go to the Processes tab and look for Skull HT ransomware’s malicious process and end its process by clicking on End Task or End Process.

Step 3: Close the Task Manager and open Control Panel by pressing the Windows key + R, then type in appwiz.cpl and then click OK or press Enter.
Step 4: Look for Skull HT Ransomware or any suspicious program and then Uninstall it/them.

Step 5: Tap Win + E keys to launch File Explorer.
Step 6: Navigate to the following locations below.

  • %TEMP%
  • %HOMEDRIVE%\user
  • %USERPROFILE%\Downloads
  • %USERPROFILE%\Desktop

Step 7: Look for Skull HT ransomware’s malicious components such as a folder named Rand123 which contains a file named local.exe. And then look for the malicious executable file named The Art of Amazon Carding.pdf.exe, a pictured entitled ransom.jpg, a text file named READ_ME.txt as well as other suspicious files and then delete all of them.
Step 8: Close the File Explorer.
Before you proceed to the next steps below, make sure that you are tech savvy enough to the point where you know exactly how to use and navigate your computer’s Registry. Keep in mind that any changes you make will highly impact your computer. To save you the trouble and time, you can just use PC Cleaner Pro, this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then by all means go on to the next steps.
Step 9: Tap Win + R to open Run and then type in regedit in the field and tap enter to pull up Windows Registry.

Step 10: Navigate to the following path:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

Step 11: Delete the registry keys and sub-keys created by Skull HT ransomware.
Step 12: Close the Registry Editor and empty your Recycle Bin.
Try to recover your encrypted files using the Shadow Volume copies
Restoring your encrypted files using Windows’ Previous Versions feature will only be effective if Skull HT ransomware hasn’t deleted the shadow copies of your files. But still, this is one of the best and free methods there is, so it’s definitely worth a shot.
To restore the encrypted file, right-click on it and select Properties, a new window will pop-up, then proceed to Previous Versions. It will load the file’s previous version before it was modified. After it loads, select any of the previous versions displayed on the list like the one in the illustration below. And then click the Restore button.

To make sure that nothing is left behind and that the Skull HT ransomware is completely removed, use the following antivirus program. To use it, refer to the instructions below.
Perform a full system scan using SpyRemover Pro. To do so, follow these steps:

  1. Turn on your computer. If it’s already on, you have to reboot
  2. After that, the BIOSscreen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.

  1. To navigate the Advanced Optionuse the arrow keys and select Safe Mode with Networking then hit
  2. Windows will now load the SafeMode with Networking.
  3. Press and hold both R key and Windows key.

  1. If done correctly, the Windows Run Boxwill show up.
  2. Type in explorer

A single space must be in between explorer and http. Click OK.

  1. A dialog box will be displayed by Internet Explorer. Click Run to begin downloading the program. Installation will start automatically once download is done.

  1. Click OK to launch it.
  2. Run SpyRemover Pro and perform a full system scan.

  1. After all the infections are identified, click REMOVE ALL.

  1. Register the program to protect your computer from future threats.


logo main menu

Copyright © 2022, FixMyPcFree. All Rights Reserved Trademarks: Microsoft Windows logos are registered trademarks of Microsoft. Disclaimer: is not affiliated with Microsoft, nor claim direct affiliation. The information on this page is provided for information purposes only. Protection Status

Log in with your credentials

Forgot your details?