What is Hand of God ransomware? And how does it execute its attack on the infected computer?
Hand of God ransomware is a new ransomware infection but rather than encrypting files, it is designed to lock the infected computer’s screen. This screen-locking malware pretends to deliver a message from the FBI. It is the latest malware to use FBI’s name in extorting money from its victims. During its attack, it locks the screen with a full-screen notification containing the FBI seal along with the “FBI ANTI-PIRACY WARNING” attached to it. Here is the rest of the message in the locked screen written in French:
“Sortie de Secours
V0TR3 M4CH1N3 35T M41NT3N4NT INN4CE55I813
ATTENTION You Have Been Hacked !!!
Cet Ordinateur et toutes ses données importantes ont été véroufllé
La Main de Dieu vous puni pour avoir escroqué des chercheurs d’emploi
en leurs promettant un emploi au Canada pour le poste de téléopérateur…
Toutes tentatives de désactivation ultérieures a ce programme échouerons
Vos fonctions systèmes ont été désactivées
Ce Programme est concu pour s‘auto-détruire dans 2 jours en entraînant la
Suppression complete de tous vos fichiers
Comment Désactiver Ce Virus
Vous devez payer le montant de 0.06 Bitcoin (ETC) = 555.29 Dollar (CAD)
à l‘adresse bitcoin suivante : 1Emhk1iJhcVTxPEWu4vqwPyUjXqz33So3F
Moyens de payement
Vous disposez de plusieurs moyens de payement qui consistent
a acheter ou a transferer des bitcoins à l‘adresse indiquée plus haut
Veuillez visiter le site suivant : https://cryptogains.fr/229-comment-acheter-des-bitcoins”
A rough translation of the screen message in English:
YOUR MACHINE IS INACCESSIBLE
ATTENTION You Have Been Hacked !!!
This Computer and all its important data have been gobbled
The Hand of God punishes you for cheating job seekers
promising them a job in Canada for the teleoperator position …
Any subsequent disabling attempts to this program will fail
Your system functions have been disabled
This program is designed to self-destruct in 2 days by executing the
complete deletion of all your files
How to Disable This Virus
You must pay the amount of 0.06 Bitcoin (ETC) = 555.29 Dollar (CAD)
at the following bitcoin address: 1Emhk1iJhcVTxPEWu4vqwPyUjXqz33So3F
Means of payment
You have several means of payment which consist
of buying or transferring bitcoins to the address indicated above
Please visit the following site: https://cryptogains.fr/229-how-to-purchase-bitcoins”
Although Hand of God ransomware does not encrypt files as of the moment, that does not mean that isn’t a dangerous threat as it does not allow you to access any of your files at all. Based on the payment instructions given, you are demanded to pay $555 in Bitcoins. You don’t have to worry as there are ways to unlock your PC without having to pay the ransom. You can bypass the Hand of God ransomware with the help of alternate startup methods like Safe Mode or starting up from a different device.
How does Hand of God ransomware spread its malicious payload?
Hand of God ransomware’s malicious payload could be introduced to you as a useful program or a harmless file. The malicious program or file might spread using a payload dropper file which initiates the malicious script for Hand of God ransomware. Aside from that, it could also be distributed using spam email campaigns. The email may be disguised as an important email sent by some well-known company or group to trick users into opening the email and downloading its attachment. That’s why you have to be careful in downloading any programs or files especially if it came from an unknown and unreliable source.
Obliterate Hand of God ransomware by following the removal guide below as well as the advanced steps that follows.
Step 1: Tap the Ctrl + Alt + Delete keys to open a menu and then expand the Shut down options which is right next to the power button.
Step 2: After that, tap and hold the Shift key and then click on Restart.
Step 3: And in the Troubleshoot menu that opens, click on the Advanced options and then go to the Startup settings.
Step 4: Click on Restart and tap F4 to select Safe Mode or tap F5 to select Safe Mode with Networking.
Step 5: After your PC has successfully rebooted, tap Ctrl + Shift + Esc to open the Task Manager.
Step 6: Go to the Processes tab and look for Hand of God Ransomware or AngelFile.exe and then end its process.
Step 7: Exit the Task Manager and open Control Panel by pressing the Windows key + R, then type in appwiz.cpl and then click OK or press Enter.
Step 8: Look Hand of God Ransomware or AngelFile.exe and then uninstall it.
Step 9: Close Control Panel and tap Win + E keys to open File Explorer.
Step 10: Navigate to the following locations and look for Hand of God ransomware’s installer named as AngelFile.exe and other related files and delete them all.
- %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\
Step 11: Close the File Explorer.
Before you proceed to the next steps below, make sure that you are tech savvy enough to the point where you know exactly how to use and navigate your computer’s Registry. Keep in mind that any changes you make will highly impact your computer. To save you the trouble and time, you can just use PC Cleaner Pro, this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then by all means go on to the next steps.
Step 12: Tap Win + R to open Run and then type in regedit in the field and tap enter to pull up Windows Registry.
Step 13: Navigate to the listed paths below and look for the registry keys and sub-keys created by Hand of God ransomware.
Step 14: Delete the registry keys and sub-keys created by Hand of God ransomware.
Step 15: Close the Registry Editor and empty your Recycle Bin.
To make sure that Hand of God ransomware is completely removed and that nothing is left behind, use the following antivirus program. To use it, refer to the instructions below.
Perform a full system scan using SpyRemover Pro. To do so, follow these steps:
- Turn on your computer. If it’s already on, you have to reboot
- After that, the BIOS screen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.
- To navigate the Advanced Option use the arrow keys and select Safe Mode with Networking then hit
- Windows will now load the SafeMode with Networking.
- Press and hold both R key and Windows key.
- If done correctly, the Windows Run Box will show up.
- Type in explorer http://www.fixmypcfree.com/install/spyremoverpro
A single space must be in between explorer and http. Click OK.
- A dialog box will be displayed by Internet Explorer. Click Run to begin downloading the program. Installation will start automatically once download is done.
- Click OK to launch it.
- Run SpyRemover Pro and perform a full system scan.
- After all the infections are identified, click REMOVE ALL.
- Register the program to protect your computer from future threats.